HCIA-Datacom V1.0 Training Material [PDF]

Zitiervorschau

• Examples of network communication: ▫ A. Two computers connected with a network cable form the simplest network. ▫ B. A small network consists of a router (or switch) and multiple computers. In such a network, files can be freely transferred between every two computers through the router or switch. ▫ C. To download a file from a website, a computer must first access the Internet. • The Internet is the largest computer network in the world. Its predecessor, Advanced Research Projects Agency Network (ARPAnet), was born in 1969. The wide popularization and application of the Internet is one of the landmarks of the information age.

• Comparison between express delivery (object transfer) and network communication: • Objects to be delivered by express delivery: ▫ The application generates the information (or data) to be delivered. • The objects are packaged and attached with a delivery form containing the name and address of the consignee. ▫ The application packs the data into the original "data payload", and adds the "header" and "tail" to form a packet. The important information in the packet is the address information of the receiver, that is, the "destination address".

▫ The process of adding some new information segments to an information unit to form a new information unit is called encapsulation. • The package is sent to the distribution center, where packages are sorted based on the destination addresses and the packages destined for the same city are placed on the same plane. ▫ The packet reaches the gateway through the network cable. After receiving the packet, the gateway decapsulates the packet, reads the destination address, and then re-encapsulates the packet. Then, the gateway sends the packet to a router based on the destination address. After being transmitted through the gateway and router, the packet leaves the local network and enters the Internet for transmission. ▫ The network cable functions similarly as the highway. The network cable is the medium for information transfer.

• Data payload: It can be considered as the information to be transmitted. However, in a hierarchical communication process, the data unit (packet) transmitted from the upper layer to the lower layer can be called the data payload of the lower layer. • Packet: a data unit that is exchanged and transmitted on a network. It is in the format of header+data payload+tail. During transmission, the format and content of packets may change. • Header: The information segment added before the data payload during packet assembly to facilitate information transmission is called the packet header. • Tail: The information segment added after the payload to facilitate information transmission is called the tail of a packet. Note that many packets do not have tails.

• Encapsulation: A technology used by layered protocols. When the lower-layer protocol receives a message from the upper-layer protocol, the message is added to the data part of the lower-layer frame. • Decapsulation: It is the reverse process of encapsulation. That is, the header and tail of a packet are removed to obtain the data payload. • Gateway: A gateway is a network device that provides functions such as protocol conversion, route selection, and data exchange when networks using different architectures or protocols communicate with each other. A gateway is a term that is named based on its deployment location and functionality, rather than a specific device type. • Router: a network device that selects a transmission path for a packet.

• Terminal device: It is the end device of the data communication system. As the data sender or receiver, the terminal device provides the necessary functions required by the user access protocol operations. The terminal device may be a computer, server, VoIP, or mobile phone.

• Switches: ▫ On a campus network, a switch is the device closest to end users and is used to connect terminals to the campus network. Switches at the access layer are usually Layer 2 switches and are also called Ethernet switches. Layer 2 refers to the data link layer of the TCP/IP reference model. ▫ The Ethernet switch can implement the following functions: data frame switching, access of end user devices, basic access security functions, and Layer 2 link redundancy. ▫ Broadcast domain: A set of nodes that can receive broadcast packets from a node.

• Routers: ▫ Routers work at the network layer of the TCP/IP reference model. ▫ Routers can implement the following functions: routing table and routing information maintenance, route discovery and path selection, data forwarding, broadcast domain isolation, WAN access, network address translation, and specific security functions.

• Firewall: ▫ It is located between two networks with different trust levels (for example, between an intranet and the Internet). It controls the communication between the two networks and forcibly implements unified security policies to prevent unauthorized access to important information resources.

• In a broad sense, WLAN is a network that uses radio waves, laser, and infrared signals to replace some or all transmission media in a wired LAN. Common Wi-Fi is a WLAN technology based on the IEEE 802.11 family of standards. • On a WLAN, common devices include fat APs, fit APs, and ACs. ▫ AP:

▪ Generally, it supports the fat AP, fit AP, and cloud-based management modes. You can flexibly switch between these modes based on network planning requirements. ▪ Fat AP: It is applicable to homes. It works independently and needs to be configured separately. It has simple functions and low costs.

▪ Fit AP: It applies to medium- and large-sized enterprises. It needs to work with the AC and is managed and configured by the AC. ▪ Cloud-based management: It applies to small- and medium-sized enterprises. It needs to work with the cloud-based management platform for unified management and configuration. It provides various functions and supports plug-and-play. ▫ AC: ▪ It is generally deployed at the aggregation layer of the entire network to provide high-speed, secure, and reliable WLAN services. ▪ The AC provides wireless data control services featuring large capacity, high performance, high reliability, easy installation, and easy maintenance. It features flexible networking and energy saving.

• Based on the geographical coverage, networks can be classified into LANs, WANs, and MANs. • LAN: ▫ Basic characteristics: ▪ An LAN generally covers an area of a few square kilometers. ▪ The main function is to connect several terminals that are close to each other (within a family, within one or more buildings, within a campus, for example).

▫ Technologies used: Ethernet and Wi-Fi. • MAN: ▫ Basic characteristics: ▪ A MAN is a large-sized LAN, which requires high costs but can provide a higher transmission rate. It improves the transmission media in LANs and expands the access scope of LANs (able to cover a university campus or city). ▪ The main function is to connect hosts, databases, and LANs at different locations in the same city. ▪ The functions of a MAN are similar to those of a WAN except for implementation modes and performance. ▫ Technologies used: such as Ethernet (10 Gbit/s or 100 Gbit/s) and WiMAX.

• Network topology drawing: ▫ It is very important to master professional network topology drawing skills, which requires a lot of practice. ▫ Visio and Power Point are two common tools for drawing network topologies.

• Star network topology: ▫ All nodes are connected through a central node. ▫ Advantages: New nodes can be easily added to the network. Communication data must be forwarded by the central node, which facilitates network monitoring. ▫ Disadvantages: Faults on the central node affect the communication of the entire network. • Bus network topology:

▫ All nodes are connected through a bus (coaxial cable for example). ▫ Advantages: The installation is simple and cable resources are saved. Generally, the failure of a node does not affect the communication of the entire network. ▫ Disadvantages: A bus fault affects the communication of the entire network. The information sent by a node can be received by all other nodes, resulting in low security. • Ring network topology: ▫ All nodes are connected to form a closed ring. ▫ Advantages: Cables resources are saved. ▫ Disadvantages: It is difficult to add new nodes. The original ring must be interrupted before new nodes are inserted to form a new ring.

• Network engineering covers a series of activities around the network, including network planning, design, implementation, commissioning, and troubleshooting. • The knowledge field of network engineering design is very wide, in which routing and switching are the basis of the computer network.

• Huawei talent ecosystem website: https://e.huawei.com/en/talent/#/home

• HCIA-Datacom: one course (exam) ▫ Basic concepts of data communication, basis of routing and switching, security, WLAN, SDN and NFV, basis of programming automation, and network deployment cases • HCIP-Datacom: one mandatory course (exam) and six optional sub-certification courses (exams) ▫ Mandatory course (exam): ▪ HCIP-Datacom-Core Technology ▫ Optional courses (exams): ▪ HCIP-Datacom-Advanced Routing & Switching Technology ▪ HCIP-Datacom-Campus Network Planning and Deployment ▪ HCIP-Datacom-Enterprise Network Solution Design ▪ HCIP-Datacom-WAN Planning and Deployment ▪ HCIP-Datacom-SD-WAN Planning and Deployment ▪ HCIP-Datacom-Network Automation Developer •

HCIE-Datacom: one course (exam), integrating two modules ▫ Classic network: ▪ Classic datacom technology theory based on command lines ▪ Classic datacom technology deployment based on command lines ▫ Huawei SDN solution: ▪ Enterprise SDN solution technology theory ▪ Enterprise SDN solution planning and deployment

1. C

• A computer can identify only digital data consisting of 0s and 1s. It is incapable of reading other types of information, so the information needs to be translated into data by certain rules. • However, people do not have the capability of reading electronic data. Therefore, data needs to be converted into information that can be understood by people. • A network engineer needs to pay more attention to the end-to-end data transmission process.

• The Open Systems Interconnection Model (OSI) was included in the ISO 7489 standard and released in 1984. ISO stands for International Organization for Standardization. • The OSI reference model is also called the seven-layer model. The seven layers from bottom to top are as follows:

▫ Physical layer: transmits bit flows between devices and defines physical specifications such as electrical levels, speeds, and cable pins. ▫ Data link layer: encapsulates bits into octets and octets into frames, uses MAC addresses to access media, and implements error checking.

▫ Network layer: defines logical addresses for routers to determine paths and transmits data from source networks to destination networks. ▫ Transport layer: implements connection-oriented and non-connection-oriented data transmission, as well as error checking before retransmission.

▫ Session layer: establishes, manages, and terminates sessions between entities at the presentation layer. Communication at this layer is implemented through service requests and responses transmitted between applications on different devices. ▫ Presentation layer: provides data encoding and conversion so that data sent by the application layer of one system can be identified by the application layer of another system. ▫ Application layer: provides network services for applications and the OSI layer

closest to end users.

• The TCP/IP model is similar to the OSI model in structure and adopts a hierarchical architecture. Adjacent TCP/IP layers are closely related. • The standard TCP/IP model combines the data link layer and physical layer in the OSI model into the network access layer. This division mode is contrary to the actual protocol formulation. Therefore, the equivalent TCP/IP model that integrates the TCP/IP standard model and the OSI model is proposed. Contents in the following slides are based on the equivalent TCP/IP model.

• Application Layer ▫ Hypertext Transfer Protocol (HTTP): is used to access various pages on web servers. ▫ File Transfer Protocol (FTP): provides a method for transferring files. It allows data to be transferred from one host to another.

▫ Domain name service (DNS): translates from host domain names to IP addresses. • Transport layer ▫ Transmission Control Protocol (TCP): provides reliable connection-oriented communication services for applications. Currently, TCP is used by many popular applications. ▫ User Datagram Protocol (UDP): provides connectionless communication and does not guarantee the reliability of packet transmission. The reliability can be ensured by the application layer. • Network layer ▫ Internet Protocol (IP): encapsulates transport-layer data into data packets and forwards packets from source sites to destination sites. IP provides a connectionless and unreliable service. ▫ Internet Group Management Protocol (IGMP): manages multicast group memberships. Specifically, IGMP sets up and maintains memberships between IP hosts and their directly connected multicast routers.

▫ Internet Control Message Protocol (ICMP): sends control messages based on the IP protocol and provides information about various problems that may exist in the communication environment. Such information helps administrators diagnose problems and take proper measures to resolve the problems.

• The TCP/IP suite enables data to be transmitted over a network. The layers use packet data units (PDUs) to exchange data, implementing communication between network devices. • PDUs transmitted at different layers contain different information. Therefore, PDUs have different names at different layers.

• TCP header: ▫ Source Port: identifies the application that sends the segment. This field is 16 bits long. ▫ Destination Port: identifies the application that receives the segment. This field is 16 bits long.

▫ Sequence Number: Every byte of data sent over a TCP connection has a sequence number. The value of the Sequence Number field equals the sequence number of the first byte in a sent segment. This field is 32 bits long. ▫ Acknowledgment Number: indicates the sequence number of the next segment's first byte that the receiver is expecting to receive. The value of this field is 1 plus the sequence number of the last byte in the previous segment that is successfully received. This field is valid only when the ACK flag is set. This field is 32 bits long. ▫ Header Length: indicates the length of the TCP header. The unit is 32 bits (4 bytes). If there is no option content, the value of this field is 5, indicating that the header contains 20 bytes. ▫ Reserved: This field is reserved and must be set to 0. This field is 6 bits long. ▫ Control Bits: control bits, includes FIN, ACK, and SYN flags, indicating TCP data segments in different states. ▫ Window: used for TCP flow control. The value is the maximum number of bytes that are allowed by the receiver. The maximum window size is 65535 bytes. This field is 16 bits long. ▫ Checksum: a mandatory field. It is calculated and stored by the sender and verified by the receiver. During checksum computation, the TCP header and TCP data are included, and a 12-byte pseudo header is added before the TCP segment. This field is 16 bits long.

• The TCP connection setup process is as follows: ▫ The TCP connection initiator (PC1 in the figure) sends the first TCP segment with SYN being set. The initial sequence number a is a randomly generated number. The acknowledgment number is 0 because no segment has ever been received from PC2. ▫ After receiving a valid TCP segment with the SYN flag being set, the receiver (PC2) replies with a TCP segment with SYN and ACK being set. The initial sequence number b is a randomly generated number. Because the segment is a response one to PC1, the acknowledgment number is a+1. ▫ After receiving the TCP segment in which SYN and ACK are set, PC1 replies with a segment in which ACK is set, the sequence number is a+1, and the acknowledgment number is b+1. After PC2 receives the segment, a TCP connection is established.

• Assume that PC1 needs to send segments of data to PC2. The transmission process is as follows: 1. PC1 numbers each byte to be sent by TCP. Assume that the number of the first byte is a+1. Then, the number of the second byte is a+2, the number of the third byte is a+3, and so on. 2. PC1 uses the number of the first byte of each segment of data as the sequence number and sends out the TCP segment. 3. After receiving the TCP segment from PC1, PC2 needs to acknowledge the segment and request the next segment of data. How is the next segment of data determined? Sequence number (a+1) + Payload length = Sequence number of the first byte of the next segment (a+1+12) 4. After receiving the TCP segment sent by PC2, PC1 finds that the acknowledgment number is a+1+12, indicating that the segments from a+1 to a+12 have been received and the sequence number of the upcoming segment to be sent should be a+1+12. • To improve the sending efficiency, multiple segments of data can be sent at a time by the sender and then acknowledged at a time by the receiver.

1. During the TCP three-way handshake, both ends notify each other of the maximum number of bytes (buffer size) that can be received by the local end through the Window field. 2. After the TCP connection is set up, the sender sends data of the specified number of bytes based on the window size declared by the receiver. 3. After receiving the data, the receiver stores the data in the buffer and waits for the upper-layer application to obtain the buffered data. After the data is obtained by the upper-layer application, the corresponding buffer space is released. 4. The receiver notifies the current acceptable data size (window) according to its buffer size. 5. The sender sends a certain amount of data based on the current window size of the receiver.

• TCP supports data transmission in full-duplex mode, which means that data can be transmitted in both directions at the same time. Before data is transmitted, TCP sets up a connection in both directions through three-way handshake. Therefore, after data transmission is complete, the connection must be closed in both directions. This is shown in the figure. 1. PC1 sends a TCP segment with FIN being set. The segment does not carry data. 2. After receiving the TCP segment from PC1, PC2 replies with a TCP segment with ACK being set. 3. PC2 checks whether data needs to be sent. If so, PC2 sends the data, and then a TCP segment with FIN being set to close the connection. Otherwise, PC2 directly sends a TCP segment with FIN being set. 4. After receiving the TCP segment with FIN being set, PC1 replies with an ACK segment. The TCP connection is then torn down in both directions.

• Internet Protocol Version 4 (IPv4) is the most widely used network layer protocol.

• When IP is used as the network layer protocol, both communication parties are assigned a unique IP address to identify themselves. An IP address can be written as a 32-bit binary integer. To facilitate reading and analysis, an IP address is usually represented in dot-decimal notation, consisting of four decimal numbers, each ranging from 0 to 255, separated by dots, such as, 192.168.1.1. • Encapsulation and forwarding of IP data packets: ▫ When receiving data from an upper layer (such as the transport layer), the network layer encapsulates an IP packet header and adds the source and destination IP addresses to the header. ▫ Each intermediate network device (such as a router) maintains a routing table that guides IP packet forwarding like a map. After receiving a packet, the intermediate network device reads the destination address of the packet, searches the local routing table for a matching entry, and forwards the IP packet according to the instruction of the matching entry. ▫ When the IP packet reaches the destination host, the destination host determines whether to accept the packet based on the destination IP address and then processes the packet accordingly. • In addition to the IP protocol, routing protocols such as OSPF, IS-IS, and BGP at the network layer help routers establish routing tables, and ICMP helps control networks and diagnose network status.

• A MAC address is recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or without a separator. Example: 48-A4-72-1C-8F-4F

• The Address Resolution Protocol (ARP) is a TCP/IP protocol that discovers the data link layer address associated with a given IP address. • ARP is an indispensable protocol in IPv4. It provides the following functions: ▫ Discovers the MAC address associated with a given IP address. ▫ Maintains and caches the mapping between IP addresses and MAC addresses through ARP entries. ▫ Detects duplicate IP addresses on a network segment.

• Generally, a network device has an ARP cache. The ARP cache stores the mapping between IP addresses and MAC addresses. • Before sending a datagram, a device searches its ARP table. If a matching ARP entry is found, the device encapsulates the corresponding MAC address in the frame and sends out the frame. If a matching ARP entry is not found, the device sends an ARP request to discover the MAC address. • The learned mapping between the IP address and MAC address is stored in the ARP table for a period. Within the validity period (180s by default), the device can directly search this table for the destination MAC address for data encapsulation, without performing ARP-based query. After the validity period expires, the ARP entry is automatically deleted. • If the destination device is located on another network, the source device searches the ARP table for the gateway MAC address of the destination address and sends the datagram to the gateway. Then, the gateway forwards the datagram to the destination device.

• In this example, the ARP table of Host 1 does not contain the MAC address of Host 2. Therefore, Host 1 sends an ARP request message to discover the destination MAC address. • The ARP request message is encapsulated in an Ethernet frame. The source MAC address in the frame header is the MAC address of Host 1 at the transmit end. Because Host 1 does not know the MAC address of Host 2, the destination MAC address is the broadcast address FF-FF-FF-FF-FF-FF. • The ARP request message contains the source MAC address, source IP address, destination MAC address, and destination IP address. The destination MAC address is all 0s. The ARP request message is broadcast to all hosts on the network, including gateways.

• After receiving the ARP request message, each host checks whether it is the destination of the message based on the carried destination IP address. If not, the host does not respond to the ARP request message. If so, the host adds the sender's MAC and IP addresses carried in the ARP request message to the ARP table, and then replies with an ARP reply message.

• Host 2 sends an ARP reply message to Host 1. • In the ARP reply message, the sender's IP address is the IP address of Host 2 and the receiver's IP address is the IP address of Host 1. The receiver's MAC address is the MAC address of Host 1 and the sender's MAC address is the MAC address of Host 2. The operation type is set to reply. • ARP reply messages are transmitted in unicast mode.

• After receiving the ARP reply message, Host 1 checks whether it is the destination of the message based on the carried destination IP address. If so, Host 1 records the carried sender's MAC and IP addresses in its ARP table.

• Twisted pairs: most common transmission media used on Ethernet networks. Twisted pairs can be classified into the following types based on their anti-electromagnetic interference capabilities: ▫ STP: shielded twisted pairs

▫ UTP: unshielded twisted pairs • Optical fiber transmission can be classified into the following types based on functional components: ▫ Fibers: optical transmission media, which are glass fibers, used to restrict optical transmission channels. ▫ Optical modules: convert electrical signals into optical signals to generate optical signals. • Serial cables are widely used on wide area networks (WANs). The types of interfaces connected to serial cables vary according to WAN line types. The interfaces include synchronous/synchronous serial interfaces, ATM interfaces, POS interfaces, and CE1/PRI interfaces. • Wireless signals may be transmitted by using electromagnetic waves. For example, a wireless router modulates data and sends the data by using electromagnetic waves, and a wireless network interface card of a mobile terminal demodulates the electromagnetic waves to obtain data. Data transmission from the wireless router to the mobile terminal is then complete.

• Assume that you are using a web browser to access Huawei's official website. After you enter the website address and press Enter, the following events occur on your computer: 1. The browser (application program) invokes HTTP (application layer protocol) to encapsulate the application layer data. (The DATA in the figure should also include the HTTP header, which is not shown here.) 2. HTTP uses TCP to ensure reliable data transmission and transmits encapsulated data to the TCP module. 3. The TCP module adds the corresponding TCP header information (such as the source and destination port numbers) to the data transmitted from the application layer. At the transport layer, the PDU is called a segment. 4. On an IPv4 network, the TCP module sends the encapsulated segment to the IPv4 module at the network layer. (On an IPv6 network, the segment is sent to the IPv6 module for processing.) 5. After receiving the segment from the TCP module, the IPv4 module encapsulates the IPv4 header. At this layer, the PDU is called a packet.

• In most cases: ▫ A Layer 2 device (such as an Ethernet switch) only decapsulates the Layer 2 header of the data and performs the corresponding switching operation according to the information in the Layer 2 header.

▫ A Layer 3 device (such as a router) decapsulates the Layer 3 header and performs routing operations based on the Layer 3 header information. ▫ Note: The details and principles of switching and routing will be described in subsequent courses.

• After being transmitted over the intermediate network, the data finally reaches the destination server. Based on the information in different protocol headers, the data is decapsulated layer by layer, processed, transmitted, and finally sent to the application on the web server for processing.

1. Answer: ▫ Clear division of functions and boundaries between layers facilitates the development, design, and troubleshooting of each component. ▫ The functions of each layer can be defined to impel industry standardization. ▫ Interfaces can be provided to enable communication between hardware and software on various networks, improving compatibility. 2. Answer: ▫ Application layer: HTTP, FTP, Telnet, and so on ▫ Transport layer: UDP and TCP ▫ Network layer: IP, ICMP, and so on ▫ Data link layer: Ethernet, PPP, PPPoE, and so on

• A configuration file is a collection of command lines. Current configurations are stored in a configuration file so that the configurations are still effective after the device restarts. Users can view configurations in the configuration file and upload the configuration file to other devices to implement batch configuration. • A patch is a kind of software compatible with the system software. It is used to fix bugs in system software. Patches can also fix system defects and optimize some functions to meet service requirements. • To manage files on a device, log in to the device through either of the following modes: ▫ Local login through the console port or Telnet ▫ Remote login through FTP, TFTP, or SFTP

• Storage media include SDRAM, flash memory, NVRAM, SD card, and USB. ▫ SDRAM stores the system running information and parameters. It is equivalent to a computer's memory. ▫ NVRAM is nonvolatile. Writing logs to the flash memory consumes CPU resources and is time-consuming. Therefore, the buffer mechanism is used. Specifically, logs are first saved to the buffer after being generated, and then written to the flash memory after the timer expires or the buffer is full. ▫ The flash memory and SD card are nonvolatile. Configuration files and system files are stored in the flash memory or SD card. For details, see the product documentation. ▫ SD cards are external memory media used for memory expansion. The USB is considered an interface. It is used to connect to a large-capacity storage medium for device upgrade and data transmission. ▫ Patch and PAF files are uploaded by maintenance personnel and can be stored in a specified directory.

• Boot Read-Only Memory (BootROM) is a set of programs added to the ROM chip of a device. BootROM stores the device's most important input and output programs, system settings, startup self-check program, and system automatic startup program. • The startup interface provides the information about the running program of the system, the running VRP version, and the loading path.

• To limit users' access permissions to a device, the device manages users by level and establishes a mapping between user levels and command levels. After a user logs in to a device, the user can use only commands of the corresponding levels or lower. By default, the user command level ranges from 0 to 3, and the user level ranges from 0 to 15. The mapping between user levels and command levels is shown in the table.

• Note: The login page, mode, and IP address may vary according to devices. For details, see the product documentation.

• Use a console cable to connect the console port of a device with the COM port of a computer. You can then use PuTTY on the computer to log in to the device and perform local commissioning and maintenance. A console port is an RJ45 port that complies with the RS232 serial port standard. At present, the COM ports provided by most desktop computers can be connected to console ports. In most cases, a laptop does not provide a COM port. Therefore, a USB-to-RS232 conversion port is required if you use a laptop. • The console port login function is enabled by default and does not need to be preconfigured.

• Many terminal simulators can initiate console connections. PuTTY is one of the options for connecting to VRP. If PuTTY is used for access to VRP, you must set port parameters. The figure in the slide shows examples of port parameter settings. If the parameter values were ever changed, you need to restore the default values. • After the settings are complete, click Open. The connection with VRP is then set up.

• By default, the SSH login function is disabled on a device. You need to log in to the device through the console port and configure mandatory parameters for SSH login before using the SSH login function.

• The CLI is an interface through which users can interact with a device. When the command prompt is displayed after a user logs in to a device, it means that the user has entered the CLI successfully.

• Each command must contain a maximum of one command word and can contain multiple keywords and parameters. A parameter must be composed of a parameter name and a parameter value. • The command word, keywords, parameter names, and parameter values in a command are separated by spaces.

• The user view is the first view displayed after you log in to a device. Only query and tool commands are provided in the user view. • In the user view, only the system view can be accessed. Global configuration commands are provided in the system view. If the system has a lower-level configuration view, the command for entering the lower-level configuration view is provided in the system view.

• After you log in to the system, the user view is displayed first. This view provides only display commands and tool commands, such as ping and telnet. It does not provide any configuration commands. • You can run the system-view command in the user view to enter the system view. The system view provides some simple global configuration commands. • In a complex configuration scenario, for example, multiple parameters need to be configured for an Ethernet interface, you can run the interface GigabitEthernet X command (X indicates the number of the interface) to enter the GE interface view. Configurations performed in this view take effect only on the specified GE interface.

• Note: "keyword" mentioned in this section means any character string except a parameter value string in a command. The meaning is different from that of "keyword" in the command format.

• The command help information displayed in this slide is for reference only, which varies according to devices.

• VRP uses the file system to manages files and directories on a device. To manage files and directories, you often need to run basic commands to query file or directory information. Such commonly used basic commands include pwd, dir [/all] [ filename | directory ], and more [ /binary ] filename [ offset ] [ all ]. ▫ The pwd command displays the current working directory. ▫ The dir [/all] [ filename | directory ] command displays information about files in the current directory. ▫ The more [/binary] filename [ offset ] [ all ] command displays the content of a text file. ▫ In this example, the dir command is run in the user view to display information about files in the flash memory. • Common commands for operating directories include cd directory, mkdir directory, and rmdir directory. ▫ The cd directory command changes the current working directory. ▫ The mkdir directory command creates a directory. A directory name can contain 1 to 64 characters.

• The rmdir directory command deletes a directory from the file system. A directory to be deleted must be empty; otherwise, it cannot be deleted using this command. • The copy source-filename destination-filename command copies a file. If the target file already exists, the system displays a message indicating that the target file will be replaced. The target file name cannot be the same as the system startup file name. Otherwise, the system displays an error message. • The move source-filename destination-filename command moves a file to another directory. The move command can be used to move files only within the same storage medium. • The rename old-name new-name command renames a directory or file. • The delete [/unreserved] [ /force ] { filename | devicename } command deletes a file. If the unreserved parameter is not specified, the deleted file is moved to the recycle bin. A file in the recycle bin can be restored using the undelete command. However, if the /unreserved parameter is specified, the file is permanently deleted and cannot be restored any more. If the /force parameter is not specified in the delete command, the system displays a message asking you whether to delete the file. However, if the /force parameter is specified, the system does not display the message. filename specifies the name of the file to be deleted, and devicename specifies the name of the

storage medium.

• The reset recycle-bin [ filename | devicename ] command permanently deletes all or a specified file in the recycle bin. filename specifies the name of the file to be permanently deleted, and devicename specifies the name of the storage medium.

• Generally, more than one device is deployed on a network, and the administrator needs to manage all devices in a unified manner. The first task of device commissioning is to set a system name. A system name uniquely identifies a device. The default system name of an AR series router is Huawei, and that of an S series switch is HUAWEI. A system name takes effect immediately after being set. • To ensure successful coordination with other devices, you need to correctly set the system clock. System clock = Coordinated Universal Time (UTC) ± Time difference between the UTC and the time of the local time zone. Generally, a device has default UTC and time difference settings.

▫ You can run the clock datetime command to set the system clock of the device. The date and time format is HH:MM:SS YYYY-MM-DD. If this command is run, the UTC is the system time minus the time difference. ▫ You can also change the UTC and the system time zone to change the system clock. ▪ The clock datetime utc HH:MM:SS YYYY-MM-DD changes the UTC. ▪ The clock timezone time-zone-name { add | minus } offset command configures the local time zone. The UTC is the local time plus or minus the offset. ▫ If a region adopts the daylight saving time, the system time is adjusted according to the user setting at the moment when the daylight saving time starts. VRP supports the daylight saving time function.

• Each type of user interface has a corresponding user interface view. A user interface view is a command line view provided by the system for you to configure and manage all physical and logical interfaces working in asynchronous interaction mode, implementing unified management of different user interfaces. Before accessing a device, you need to set user interface parameters. The system supports console and VTY user interfaces. The console port is a serial port provided by the main control board of a device. A VTY is a virtual line port. A VTY connection is set up after a Telnet or SSH connection is established between a user terminal and a device, allowing the user to access the device in VTY mode. Generally, a maximum of 15 users can log in to a device through VTY at the same time. You can run the user-interface maximum-vty number command to set the maximum number of users that can concurrently access a device in VTY mode. If the maximum number of login users is set to 0, no user can log in to the device through Telnet or SSH. The display user-interface command displays information about a user interface. • The maximum number of VTY interfaces may vary according to the device type and used VRP version.

• To run the IP service on an interface, you must configure an IP address for the interface. Generally, an interface requires only one IP address. For the same interface, a newly configured primary IP address replaces the original primary IP address. • You can run the ip address { mask | mask-length } command to configure an IP address for an interface. In this command, mask indicates a 32-bit subnet mask, for example, 255.255.255.0; mask-length indicates a mask length, for example, 24. Specify either of them when configuring an IP address. • A loopback interface is a logical interface that can be used to simulate a network or an IP host. The loopback interface is stable and reliable, and can also be used as the management interface if multiple protocols are deployed. • When configuring an IP address for a physical interface, check the physical status of the interface. By default, interfaces are up on Huawei routers and switches. If an interface is manually disabled, run the undo shutdown command to enable the interface after configuring an IP address for it.

• The reset saved-configuration command deletes the configurations saved in a configuration file or the configuration file. After this command is run, if you do not run the startup saved-configuration command to specify the configuration file for the next startup or the save command to save current configurations, the device uses the default parameter settings during system initialization when it restarts. • The display startup command displays the system software for the current and next startup, backup system software, configuration file, license file, and patch file, as well as voice file. • The startup saved-configuration configuration-file command configures the configuration file for the next startup. The configuration-file parameter specifies the name of the configuration file for the next startup. • The reboot command restarts a device. Before the device reboots, you are prompted to save configurations.

• For some devices, after the authentication-mode password command is entered, the password setting page will be displayed automatically. You can then enter the password at the page that is displayed. For some devices, you need to run the set authentication-mode password password command to set a password.

• To save configurations, run the save command. By default, configurations are saved in the vrpcfg.cfg file. You can also create a file for saving the configurations. In VRPv5, the configuration file is stored in the flash: directory by default.

• The display startup command displays the system software for the current and next startup, backup system software, configuration file, license file, and patch file, as well as voice file. ▫ Startup system software indicates the VRP file used for the current startup.

▫ Next startup system software indicates the VRP file to be used for the next startup. ▫ Startup saved-configuration file indicates the configuration file used for the current system startup.

▫ Next startup saved-configuration file indicates the configuration file to be used for the next startup. ▫ When a device starts, it loads the configuration file from the storage medium and initializes the configuration file. If no configuration file exists in the storage medium, the device uses the default parameter settings for initialization. • The startup saved-configuration [ configuration-file ] command sets the configuration file for the next startup, where the configuration-file parameter specifies the name of the configuration file.

1. Currently, most Huawei datacom products use VRPv5, and a few products such as NE series routers use VRPv8. 2. A Huawei device allows only one user to log in through the console interface at a time. Therefore, the console user ID is fixed at 0.

3. To specify a configuration file for next startup, run the startup saved-configuration [ configuration-file ] command. The value of configuration-file should contain both the file name and extension.

•

• IP has two versions: IPv4 and IPv6. IPv4 packets prevail on the Internet, and the Internet is undergoing the transition to IPv6. Unless otherwise specified, IP addresses mentioned in this presentation refer to IPv4 addresses. ▫ IPv4 is the core protocol in the TCP/IP protocol suite. It works at the network layer in the TCP/IP protocol stack and this layer corresponds to the network layer in the Open System Interconnection Reference Model (OSI RM). ▫ IPv6, also called IP Next Generation (IPng), is the second-generation standard protocol of network layer protocols. Designed by the Internet Engineering Task Force (IETF), IPv6 is an upgraded version of IPv4.

• Application data can be transmitted to the destination end over the network only after being processed at each layer of the TCP/IP protocol suite. Each layer uses protocol data units (PDUs) to exchange information with another layer. PDUs at different layers contain different information. Therefore, PDUs at each layer have a particular name. ▫ For example, after a TCP header is added to the upper-layer data in a PDU at the transport layer, the PDU is called a segment. The data segment is transmitted to the network layer. After an IP header is added to the PDU at the network layer, the PDU is called a packet. The data packet is transmitted to the data link layer. After the data link layer header is encapsulated into the PDU, the PDU becomes a frame. Ultimately, the frame is converted into bits and transmitted through network media. ▫ The process in which data is delivered following the protocol suite from top to bottom and is added with headers and tails is called encapsulation. • This presentation describes how to encapsulate data at the network layer. If data is encapsulated with IP, the packets are called IP packets.

• The IP packet header contains the following information: ▫ Version: 4 bits long. Value 4 indicates IPv4. Value 6 indicates IPv6. ▫ Header Length: 4 bits long, indicating the size of a header. If the Option field is not carried, the length is 20 bytes. The maximum length is 60 bytes. ▫ Type of Service: 8 bits long, indicating a service type. This field takes effect only when the QoS differentiated service (DiffServ) is required. ▫ Total Length: 16 bits long. It indicates the total length of an IP data packet. ▫ Identification: 16 bits long. This field is used for fragment reassembly. ▫ Flags: 3 bits long. ▫ Fragment Offset: 12 bits long. This field is used for fragment reassembly. ▫ Time to Live: 8 bits long.

• Identification: 16 bits long. This field carries a value assigned by a sender host and is used for fragment reassembly. • Flags: 3 bits long. ▫ Reserved Fragment: 0 (reserved). ▫ Don't Fragment: Value 1 indicates that fragmentation is not allowed, and value 0 indicates that fragmentation is allowed. ▫ More Fragment: Value 1 indicates that there are more segments following the segment, and value 0 indicates that the segment is the last data segment.

• Fragment Offset: 12 bits long. This field is used for fragment reassembly. This field indicates the relative position of a fragment in an original packet that is fragmented. This field is used together with the More Fragment bit to help the receiver assemble the fragments.

• Time to Live: 8 bits long. It specifies the maximum number of routers that a packet can pass through on a network. ▫ When packets are forwarded between network segments, loops may occur if routes are not properly planned on network devices. As a result, packets are infinitely looped on the network and cannot reach the destination. If a loop occurs, all packets destined for this destination are forwarded cyclically. As the number of such packets increases, network congestion occurs. ▫ To prevent network congestion induced by loops, a TTL field is added to the IP packet header. The TTL value decreases by 1 each time a packet passes through a Layer 3 device. The initial TTL value is set on the source device. After the TTL value of a packet decreases to 0, the packet is discarded. In addition, the device that discards the packet sends an ICMP error message to the source based on the source IP address in the packet header. (Note: A network device can be disabled from sending ICMP error messages to the source ends.)

• After receiving and processing the packet at the network layer, the destination end needs to determine which protocol is used to further process the packet. The Protocol field in the IP packet header identifies the number of a protocol that will continue to process the packet. • The field may identify a network layer protocol (for example, ICMP of value 0x01) or an upper-layer protocol (for example, Transmission Control Protocol [TCP] of value 0x06 or the User Datagram Protocol [UDP] of value 0x11).

• On an IP network, if a user wants to connect a computer to the Internet, the user needs to apply for an IP address for the computer. An IP address identifies a node on a network and is used to find the destination for data. We use IP addresses to implement global network communication. • An IP address is an attribute of a network device interface, not an attribute of the network device itself. To assign an IP address to a device is to assign an IP address to an interface on the device. If a device has multiple interfaces, each interface needs at least one IP address.

• Note: The interface that needs to use an IP address is usually the interface of a router or computer.

• IP address notation ▫ An IP address is 32 bits long and consists of 4 bytes. It is in dotted decimal notation, which is convenient for reading and writing. • Dotted decimal notation ▫

The IP address format helps us better use and configure a network. However, a communication device uses the binary mode to operate an IP address. Therefore, it is necessary to be familiar with the decimal and binary conversion.

• IPv4 address range

▫ 00000000.00000000.00000000.00000000– 11111111.11111111.11111111.11111111, that is, 0.0.0.0–255.255.255.255

• An IPv4 address is divided into two parts: ▫ Network part (network ID): identifies a network. ▪ IP addresses do not show any geographical information. The network ID represents the network to which a host belongs. ▪ Network devices with the same network ID are located on the same network, regardless of their physical locations. ▫ Host part: identifies a host and is used to differentiate hosts on a network. • A network mask is also called a subnet mask: ▫ A network mask is 32 bits long, which is also represented in dotted decimal notation, like bits in an IP address. ▫ The network mask is not an IP address. The network mask consists of consecutive 1s followed by consecutive 0s in binary notation. ▫ Generally, the number of 1s indicates the length of a network mask. For example, the length of mask 0.0.0.0 is 0, and the length of mask 252.0.0.0 is 6. ▫ The network mask is generally used together with the IP address. Bits of 1 correspond to network bits in the IP address. Bits of 0 corresponds to host bits in the IP address. In other words, in an IP address, the number of 1s in a network mask is the number of bits of the network ID, and the number of 0s is the number of bits in the host ID.

• A network ID indicates the network where a host is located, which is similar to the function of "Community A in district B of City X in province Y." • A host ID identifies a specific host interface within a network segment defined by the network ID. The function of host ID is like a host location "No. A Street B".

• Network addressing: ▫ Layer 2 network addressing: A host interface can be found based on an IP address. ▫ Layer 3 network addressing: A gateway is used to forward data packets between network segments. • Gateway: ▫ During packet forwarding, a device determines a forwarding path and an interface connected to a destination network segment. If the destination host and source host are on different network segments, packets are forwarded to the gateway and then the gateway forwards the packets to the destination network segment. ▫ A gateway receives and processes packets sent by hosts on a local network segment and forwards the packets to the destination network segment. To implement this function, the gateway must know the IP address of the destination network segment. The IP address of the interface on the gateway connected to the local network segment is the gateway address of the network segment.

• To facilitate IP address management and networking, IP addresses are classified into the following classes: ▫ The easiest way to determine the class of an IP address is to check the most significant bits in a network ID. Classes A, B, C, D, and E are identified by binary digits 0, 10, 110, 1110, and 1111, respectively.

▫ Class A, B, and C addresses are unicast IP addresses (except some special addresses). Only these addresses can be assigned to host interfaces. ▫ Class D addresses are multicast IP addresses. ▫ Class E addresses are used for special experiment purposes. ▫ This presentation only focuses on class A, B, and C addresses. • Comparison of class A, B, and C addresses: ▫ A network using class A addresses is called a class A network. A network using class B addresses is called a class B network. A network that uses class C addresses is called a class C network. ▫ The network ID of a class A network is 8 bits, indicating that the number of network IDs is small and a large number of host interfaces are supported. The leftmost bit is fixed at 0, and the address space is 0.0.0.0–127.255.255.255. ▫ The network ID of class B network is 16 bits, which is between class A and class C networks. The leftmost two bits are fixed at 10, and the address space is 128.0.0.0–191.255.255.255.

▫ The network ID of a class C network is 24 bits, indicating that a large number of network IDs are supported, and the number of host interfaces is small. The leftmost three bits are fixed at 110, and the address space is 192.0.0.0– 223.255.255.255.

• Network address ▫ The network ID is X, and each bit in the host ID is 0. ▫ It cannot be assigned to a host interface. • Broadcast address ▫ The network ID is X, and each bit in the host ID is 1. ▫ It cannot be assigned to a host interface. • Available address

▫ It is also called a host address. It can be assigned to a host interface. • The number of available IP addresses on a network segment is calculated using the following method: ▫ Given that the host part of a network segment is n bits, the number of IP

addresses is 2n, and the number of available IP addresses is 2n – 2 (one network address and one broadcast address).

• Network address: After the host part of this address is set to all 0s, the obtained result is the network address of the network segment where the IP address is located. • Broadcast address: After the host part of this address is set to all 1s, the obtained result is the broadcast address used on the network where the IP address is located.

• Number of IP addresses: 2n, where n indicates the number of host bits. • Number of available IP addresses: 2n – 2, where n indicates the number of host bits.

• Answers to the quiz: ▫ Network address: 10.0.0.0/8 ▫ Broadcast address: 10.255.255.255 ▫ Number of addresses: 224

▫ Number of available addresses: 224 – 2 ▫ Range of available addresses: 10.0.0.1/8–10.255.255.254/8

• Private IP addresses are used to relieve the problem of IP address shortage. Private addresses are used on internal networks and hosts, and cannot be used on the public network. ▫ Public IP address: A network device connected to the Internet must have a public IP address allocated by the ICANN. ▫ Private IP address: The use of a private IP address allows a network to be expanded more freely, because a same private IP address can be repeatedly used on different private networks. • Connecting a private network to the Internet: A private network is not allowed to connect to the Internet because it uses a private IP address. Driven by requirements, many private networks also need to connect to the Internet to implement communication between private networks and the Internet, and between private networks through the Internet. The interconnection between the private network and Internet must be implemented using the NAT technology. • Note: ▫ Network Address Translation (NAT) is used to translate addresses between private and public IP address realms.

▫ IANAis short for the Internet Assigned Numbers Authority.

• 255.255.255.255 ▫ This address is called a limited broadcast address and can be used as the destination IP address of an IP packet. ▫ After receiving an IP packet whose destination IP address is a limited broadcast address, the router stops forwarding the IP packet.

• 0.0.0.0 ▫ If this address is used as a network address, it means the network address of any network. If this address is used as the IP address of a host interface, it is the IP address of a source host interface on "this" network. ▫ For example, if a host interface does not obtain its IP address during startup, the host interface can send a DHCP Request message with the destination IP address set to a limited broadcast address and the source IP address set to 0.0.0.0 to the network. The DHCP server is expected to allocate an available IP address to the host interface after receiving the DHCP Request message. • 127.0.0.0/8

▫ This address is called a Loopback address and can be used as the destination IP address of an IP packet. It is used to test the software system of a test device. ▫ The IP packets that are generated by a device and whose destination IP address is set to a Loopback address cannot leave the device itself. • 169.254.0.0/16

▫ If a network device is configured to automatically obtain an IP address but no DHCP server is available on the network, the device uses an IP address in the 169.254.0.0/16 network segment for temporary communication. • Note: The Dynamic Host Configuration Protocol (DHCP) is used to dynamically

allocate network configuration parameters, such as IP addresses.

• Classful addressing is too rigid and the granularity of address division is too large. As a result, a large number of host IDs cannot be fully used, wasting IP addresses. • Therefore, subnetting can be used to reduce address waste through the variable length subnet mask (VLSM) technology. A large classful network is divided into several small subnets, which makes the use of IP addresses more scientific.

• Assume that a class C network segment is 192.168.10.0. By default, the network mask is 24 bits, including 24 network bits and 8 host bits. • As calculated, there are 256 IP addresses on the network.

• Now, for the original 24-bit network part, a host bit is taken to increase the network part to 25 bits. The host part is reduced to 7 bits. The taken 1 bit is a subnet bit. In this case, the network mask becomes 25 bits, that is, 255.255.255.128, or /25. • Subnet bit: The value can be 0 or 1. Two new subnets are obtained.

• As calculated, there are 128 IP addresses on the network.

• Calculate a network address, with all host bits set to 0s. ▫ If the subnet bit is 0, the network address is 192.168.10.0/25. ▫ If the subnet bit is 1, the network address is 192.168.10.128/25.

• Calculate a broadcast address, with all host bits set to 1s. ▫ If the subnet bit is 0, the network address is 192.168.10.127/25. ▫ If the subnet bit is 1, the network address is 192.168.10.255/25.

• In actual network planning, the subnet with more hosts is planned first.

• Subnet network addresses are: ▫ 192.168.1.0/28 ▫ 192.168.1.16/28 ▫ 192.168.1.32/28 ▫ 192.168.1.48/28 ▫ 192.168.1.64/28 ▫ 192.168.1.80/28

▫ 192.168.1.96/28 ▫ 192.168.1.112/28 ▫ 192.168.1.128/28 ▫ 192.168.1.144/28 ▫ 192.168.1.160/28 ▫ 192.168.1.176/28 ▫ 192.168.1.192/28

▫ 192.168.1.208/28 ▫ 192.168.1.224/28 ▫ 192.168.1.240/28

• To improve the efficiency of IP data packet forwarding and success rate of packet exchanges, ICMP is used at the network layer. ICMP allows hosts and devices to report errors during packet transmission. • ICMP message: ▫ ICMP messages are encapsulated in IP packets. Value 1 in the Protocol field of the IP packet header indicates ICMP. ▫ Explanation of fields: ▪ The format of an ICMP message depends on the Type and Code fields. The Type field indicates a message type, and the Code field contains a parameter mapped to the message type.

▪ The Checksum field is used to check whether a message is complete. ▪ A message contains a 32-bit variable field. This field is not used and is usually set to 0. − In an ICMP Redirect message, this field indicates the IP address of a gateway. A host redirects packets to the specified gateway that is assigned this IP address. − In an Echo Request message, this field contains an identifier and a sequence number. The source associates the received Echo Reply message with the Echo Request message sent by the local end based on the identifiers and sequence numbers carried in the messages. Especially, when the source sends multiple Echo Request messages to the destination, each Echo Reply message must carry the same identifier and sequence number as those carried in the Echo Request message.

• ICMP redirection process: 1. Host A wants to send packets to server A. Host A sends packets to the default gateway address that is assigned to the gateway RTB. 2. After receiving the packet, RTB checks packet information and finds that the packet should be forwarded to RTA. RTA is the other gateway on the same network segment as the source host. This forwarding path through RTA is better than that through RTB. Therefore, RTB sends an ICMP Redirect message to the host, instructing the host to send the packet to RTA. 3. After receiving the ICMP Redirect message, the host sends a packet to RTA. Then RTA forwards the packet to server A.

• A typical ICMP application is ping. Ping is a common tool used to check network connectivity and collect other related information. Different parameters can be specified in a ping command, such as the size of ICMP messages, number of ICMP messages sent at a time, and the timeout period for waiting for a reply. Devices construct ICMP messages based on the parameters and perform ping tests.

• ICMP defines various error messages for diagnosing network connectivity problems. The source can determine the cause for a data transmission failure based on the received error messages. ▫ If a loop occurs on the network, packets are looped on the network, and the TTL times out, the network device sends a TTL timeout message to the sender device. ▫ If the destination is unreachable, the intermediate network device sends an ICMP Destination Unreachable message to the sender device. There are a variety of cases for unreachable destination. If the network device cannot find the destination network, the network device sends an ICMP Destination Network Unreachable message. If the network device cannot find the destination host on the destination network, the network device sends an ICMP Destination Host Unreachable message. • Tracert is a typical ICMP application. Tracert checks the reachability of each hop on a forwarding path based on the TTL value carried in the packet header. In a tracert test for a path to a specific destination address, the source first sets the TTL value in a packet to 1 before sending the packet. After the packet reaches the first node, the TTL times out. Therefore, the first node sends an ICMP TTL Timeout message carrying a timestamp to the source. Then, the source sets the TTL value in a packet to 2 before

sending the packet. After the packet reaches the second node, the TTL times out. The second node also returns an ICMP TTL Timeout message. The process repeats until the packet reaches the destination. In this way, the source end can trace each node through which the packet passes based on the information in the returned packet, and

calculate the round-trip time based on timestamps.

• Physical interface: is an existing port on a network device. A physical interface can be a service interface transmitting services or a management interface managing the device. For example, a GE service interface and an MEth management interface are physical interfaces. • Logical interface: is a physically nonexistent interface that can be created using configuration and need to transmit services. For example, a VLANIF interface and Loopback interfaces are logical interfaces. ▫ Loopback interface: is always in the up state. ▪ Once a Loopback interface is created, its physical status and data link protocol status always stay up, regardless of whether an IP address is configured for the Loopback interface. ▪ The IP address of a Loopback interface can be advertised immediately after being configured. A Loopback interface can be assigned an IP address with a 32-bit mask, which reduces address consumption. ▪ No data link layer protocols can be encapsulated on a Loopback interface. No negotiation at the data link layer is performed for the Loopback interface. Therefore, the data link protocol status of the Loopback interface is always up. ▪ The local device directly discards a packet whose destination address is not the local IP address but the outbound interface is the local Loopback interface.

• Planning rules: ▫ Uniqueness: Each host on an IP network must have a unique IP address. ▫ Continuity: Contiguous addresses can be summarized easily in the hierarchical networking. Route summarization reduces the size of the routing table and speeds up route calculation and route convergence. ▫ Scalability: Addresses need to be properly reserved at each layer, ensuring the contiguous address space for route summarization when the network is expanded. Re-planning of addresses and routes induced by network expansion is therefore prevented. ▫ Combination of topology and services: Address planning is combined with the network topology and network transport service to facilitate route planning and quality of service (QoS) deployment. Appropriate IP address planning helps you easily determine the positions of devices and types of services once you read the IP addresses.

1. C 2. AC

• A unique network node can be found based on a specific IP address. Each IP address belongs to a unique subnet. These subnets may be distributed around the world and constitute a global network. • To implement communication between different subnets, network devices need to forward IP packets from different subnets to their destination IP subnets.

• A gateway and an intermediate node (a router) select a proper path according to the destination address of a received IP packet, and forward the packet to the next router. The last-hop router on the path performs Layer 2 addressing and forwards the packet to the destination host. This process is called route-based forwarding. • The intermediate node selects the best path from its IP routing table to forward packets. • A routing entry contains a specific outbound interface and next hop, which are used to forward IP packets to the corresponding next-hop device.

• Based on the information contained in a route, a router can forward IP packets to the destination along the required path. • The destination address and mask identify the destination address of an IP packet. After an IP packet matches a specific route, the router determines the forwarding path according to the outbound interface and next hop of the route. • The next-hop device for forwarding the IP packet cannot be determined based only on the outbound interface. Therefore, the next-hop device address must be specified.

• A router forwards packets based on its IP routing table. • An IP routing table contains many routing entries. • An IP routing table contains only optimal routes but not all routes. • A router manages routing information by managing the routing entries in its IP routing table.

• Direct routes are the routes destined for the subnets to which directly connected interfaces belong. They are automatically generated by devices. • Static routes are manually configured by network administrators. • Dynamic routes are learned by dynamic routing protocols, such as OSPF, IS-IS, and BGP.

• When a packet matches a direct route, a router checks its ARP entries and forwards the packet to the destination address based on the ARP entry for this destination address. In this case, the router is the last hop router. • The next-hop address of a direct route is not an interface address of another device. The destination subnet of the direct route is the subnet to which the local outbound interface belongs. The local outbound interface is the last hop interface and does not need to forward the packet to any other next hop. Therefore, the next-hop address of a direct route in the IP routing table is the address of the local outbound interface. • When a router forwards packets using a direct route, it does not deliver packets to the next hop. Instead, the router checks its ARP entries and forwards packets to the destination IP address based on the required ARP entry.

• The Preference field is used to compare routes from different routing protocols, while the Cost field is used to compare routes from the same routing protocol. In the industry, the cost is also known as the metric.

• RTA learns two routes to the same destination, one is a static route and the other an OSPF route. It then compares the preferences of the two routes, and prefers the OSPF route because this route has a higher preference. RTA installs the OSPF route in the IP routing table.

• The table lists the preferences of some common routing protocols. Actually, there are multiple types of dynamic routes. We will learn these routes in subsequent courses.

• The IP packets from 10.0.1.0/24 need to reach 40.0.1.0/24. After receiving these packets, the gateway R1 searches its IP routing table for the next hop and outbound interface and forwards the packets to R2. After the packets reach R2, R2 forwards the packets to R3 by searching its IP routing table. Upon receipt of the packets, R3 searches its IP routing table, finding that the destination IP address of the packets belongs to the subnet where a local interface resides. Therefore, R3 directly forwards the packets to the destination subnet 40.0.1.0/24.

• The disadvantage of static routes is that they cannot automatically adapt to network topology changes and so require manual intervention. • Dynamic routing protocols provide different routing algorithms to adapt to network topology changes. Therefore, they are applicable to networks on which many Layer 3 devices are deployed.

• Dynamic routing protocols are classified into two types based on the routing algorithm: ▫ Distance-vector routing protocol ▪ RIP ▫ Link-state routing protocol ▪ OSPF ▪ IS-IS ▫ BGP uses a path vector algorithm, which is modified based on the distancevector algorithm. Therefore, BGP is also called a path-vector routing protocol in some scenarios. • Dynamic routing protocols are classified into the following types by their application scope: ▫ IGPs run within an autonomous system (AS), including RIP, OSPF, and IS-IS. ▫ EGP runs between different ASs, among which BGP is the most frequently used.

• When the link between RTA and RTB is normal, the two routes to 20.0.0.0/30 are both valid. In this case, RTA compares the preferences of the two routes, which are 60 and 70 respectively. Therefore, the route with the preference value 60 is installed in the IP routing table, and RTA forwards traffic to the next hop 10.1.1.2. • If the link between RTA and RTB is faulty, the next hop 10.1.1.2 is unreachable, which causes the corresponding route invalid. In this case, the backup route to 20.0.0.0/30 is installed in the IP routing table. RTA forwards traffic destined for 20.0.0.1 to the next hop 10.1.2.2.

• On a large-scale network, routers or other routing-capable devices need to maintain a large number of routing entries, which will consume a large amount of device resources. In addition, the IP routing table size is increasing, resulting in a low efficiency of routing entry lookup. Therefore, we need to minimize the size of IP routing tables on routers while ensuring IP reachability between the routers and different network segments. If a network has scientific IP addressing and proper planning, we can achieve this goal by using different methods. A common and effective method is route summarization, which is also known as route aggregation.

• To enable RTA to reach remote network segments, we need to configure a specific route to each network segment. In this example, the routes to 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 have the same next hop, that is, 12.1.1.2. Therefore, we can summarize these routes into a single one. • This effectively reduces the size of RTA's IP routing table.

• In most cases, both static and dynamic routes need to be associated with an outbound interface. This interface is the egress through which the device is connected to a destination network. The outbound interface in a route can be a physical interface such as a 100M or GE interface, or a logical interface such as a VLANIF or tunnel interface. There is a special interface, that is, Null interface. It has only one interface number, that is, 0. Null0 is a logical interface and is always up. When Null0 is used as the outbound interface in a route, data packets matching this route are discarded, like being dumped into a black-hole. Therefore, such a route is called a black-hole route.

1. The router first compares preferences of routes. The route with the lowest preference value is selected as the optimal route. If the routes have the same preferences, the router compares their metrics. If the routes have the same metric, they are installed in the IP routing table as equal-cost routes. 2. To configure a floating route, configure a static route with the same destination network segment and mask as the primary route but a different next hop and a larger preference value. 3. The summary route is 10.1.0.0/20.

• BGP uses the path-vector algorithm, which is a modified version of the distance-vector algorithm.

• Each router generates an LSA that describes status information about its directly connected interface. The LSA contains the interface cost and the relationship between the router and its neighboring routers.

• SPF is a core algorithm of OSPF and used to select preferred routes on a complex network.

• The implementation of a link-state routing protocol is as follows: ▫ Step 1: Establishes a neighbor relationship between neighboring routers. ▫ Step 2: Exchanges link status information and synchronizes LSDB information between neighbors. ▫ Step 3: Calculates an optimal path. ▫ Step 4: Generates route entries based on the shortest path tree and loads the routing entries to the routing table.

• In actual projects, OSPF router IDs are manually set for devices. Ensure that the router IDs of any two devices in an OSPF area are different. Generally, the router ID is set the same as the IP address of an interface (usually a Loopback interface) on the device.

• The OSPF neighbor table contains much key information, such as router IDs and interface addresses of neighboring devices. For more details, see "OSPF Working Mechanism".

• For more information about LSAs, see information provided in HCIP-Datacom courses.

• For more information about the OSPF routing table, see information provided in HCIPDatacom courses.

• When an OSPF router receives the first Hello packet from another router, the OSPF router changes from the Down state to the Init state. • When an OSPF router receives a Hello packet in which the neighbor field contains its router ID, the OSPF router changes from the Init state to the 2-way state.

• After the neighbor state machine changes from 2-way to Exstart, the master/slave election starts. ▫ The first DD packet sent from R1 to R2 is empty, and its sequence number is assumed to be X.

▫ R2 also sends the first DD packet to R1. In the examples provided in this presentation, the sequence number of the first DD packet is Y. ▫ The master/slave relationship is selected based on the router ID. A larger router ID indicates a higher priority. The router ID of R2 is greater than that of R1. Therefore, R2 becomes the master device. After the master/slave role negotiation is complete, R1's status changes from Exstart to Exchange. • After the neighbor status of R1 changes to Exchange, R1 sends a new DD packet containing its own LSDB description. The sequence number of the DD packet is the same as that of R2. After R2 receives the packet, the neighbor status changes from Exstart to Exchange. • R2 sends a new DD packet to R1. The DD packet contains the description of its own LSDB and the sequence number of the DD packet is Y + 1. • As a backup router, R1 needs to acknowledge each DD packet sent by R2. The sequence number of the response packet is the same as that of the DD packet sent by R2. • After sending the last DD packet, R1 changes the neighbor status to Loading.

• After the neighbor status changes to Loading, R1 sends an LSR to R2 to request the LSAs that are discovered through DD packets in the Exchange state but do not exist in the local LSDB. • After receiving the LSU, R2 sends an LSU to R1. The LSU contains detailed information about the requested LSAs. • After R1 receives the LSU, R1 replies with an LSAck to R2. • During this process, R2 also sends an LSA request to R1. When the LSDBs on both ends are the same, the neighbor status changes to Full, indicating that the adjacency has been established successfully.

• Fields displayed in the display ospf peer command output are as follows: ▫ OSPF Process 1 with Router ID 1.1.1.1: The local OSPF process ID is 1, and the local OSPF router ID is 1.1.1.1. ▫ Area ID of the neighboring OSPF router. ▫ Address: address of the neighbor interface. ▫ GR State: GR status after OSPF GR is enabled. GR is an optimized function. The default value is Normal. ▫ State: neighbor status. In normal cases, after LSDB synchronization is complete, the neighbor stably stays in the Full state. ▫ Mode: whether the local device is the master or backup device during link status information exchange. ▫ Priority: priority of the neighboring router. The priority is used for DR election. ▫ DR: designated router. ▫ BDR: backup designated router. ▫ MTU: MTU of a neighbor interface.

▫ Retrans timer interval: interval (in seconds) at which LSAs are retransmitted. ▫ Authentication Sequence: authentication sequence number.

• Election rule: The interface with a higher OSPF DR priority becomes the DR of the MA. If the priorities (default value of 1) are the same, the router (interface) with a higher OSPF router ID is elected as the DR, and the DR is non-preemption.

• Types of areas: Areas can be classified into backbone areas and non-backbone areas. Area 0 is a backbone area. All areas except area 0 are called non-backbone areas. • Multi-area interconnection: To prevent inter-area loops, non-backbone areas cannot be directly connected to each other. All non-backbone areas must be connected to a backbone area.

• Internal router: All interfaces of an internal router belong to the same OSPF area. • ABR: An interface of an ABR belongs to two or more areas, but at least one interface belongs to the backbone area. • Backbone router: At least one interface of a backbone router belongs to the backbone area. • ASBR: exchanges routing information with other ASs. If an OSPF router imports external routes, the router is an ASBR.

• Small- and medium-sized enterprise networks have a small scale and a limited number of routing devices. All devices can be deployed in the same OSPF area. • A large-scale enterprise network has a large number of routing devices and is hierarchical. Therefore, OSPF multi-area deployment is recommended.

• A router ID is selected in the following order: The largest IP address among Loopback addresses is preferentially selected as a router ID. If no Loopback interface is configured, the largest IP address among interface addresses is selected as a router ID.

• Configure interfaces of R2. ▫ [R2] interface GigabitEthernet 0/0/0 [R2-GigabitEthernet0/0/0] ip address 10.1.12.2 30 [R2-GigabitEthernet0/0/0] interface GigabitEthernet 0/0/1 [R2-GigabitEthernet0/0/1] ip address 10.1.12.2 30

1. BD 2. ABD

• Early Ethernet: ▫ Ethernet networks are broadcast networks established based on the CSMA/CD mechanism. Collisions restrict Ethernet performance. Early Ethernet devices such as hubs work at the physical layer, and cannot confine collisions to a particular scope. This restricts network performance improvement. • Switch networking: ▫ Working at the data link layer, switches are able to confine collisions to a particular scope. Switches help improve Ethernet performance and have replaced hubs as mainstream Ethernet devices. However, switches do not restrict broadcast traffic on the Ethernet. This affects Ethernet performance.

• On a shared network, the Ethernet uses the CSMA/CD technology to avoid collisions. The CSMA/CD process is as follows: ▫ A terminal continuously detects whether the shared line is idle. ▪ If the line is idle, the terminal sends data. ▪ If the line is in use, the terminal waits until the line becomes idle. ▫ If two terminals send data at the same time, a collision occurs on the line, and signals on the line become unstable. ▫ After detecting the instability, the terminal immediately stops sending data. ▫ The terminal sends a series of disturbing pulses. After a period of time, the terminal resumes the data transmission. The terminal sends disturbing pulses to inform other terminals, especially the terminal that sends data at the same time, that a collision occurred on the line.

• The working principle of CSMA/CD can be summarized as follows: listen before send, listen while sending, stop sending due to collision, and resend after random delay.

• An all-1 MAC address (FF-FF-FF-FF-FF-FF) is a broadcast address. All nodes process data frames with the destination address being a broadcast address. The entire access range of the data frames is called a Layer 2 broadcast domain, which is also called a broadcast domain.

• Note that a MAC address uniquely identifies a network interface card (NIC). Each network adapter requires a unique MAC address.

• There are many types of NICs. In this document, all the NICs mentioned are Ethernet NICs. • The switches mentioned in this document are Ethernet switches. The NICs used by each network port on a switch are Ethernet NICs.

• Frame is the unit of data that is transmitted between network nodes on an Ethernet network. Ethernet frames are in two formats, namely, Ethernet_II and IEEE 802.3, as illustrated in the figure shown in this slide. • Ethernet II frame: ▫ DMAC: 6 bytes for IPv4, destination MAC address. This field identifies which MAC address should receive the frame. ▫ SMAC: 6 bytes for IPv4, source MAC address. This field identifies which MAC address should send the frame. ▫ Type: 2 bytes, protocol type. Common values are as follows: ▪ 0x0800: Internet Protocol Version 4 (IPv4) ▪ 0x0806: Address Resolution Protocol (ARP) • IEEE 802.3 LLC Ethernet frame: ▫ Logical link control (LLC) consists of the destination service access point (DSAP), source service access point (SSAP), and Control field.

▪ DSAP: 1 byte, destination service access point. If the subsequent type is IP, the value is set to 0x06. The function of a service access point is similar to the Type field in an Ethernet II frame or the port number in TCP/UDP. ▪ SSAP: 1 byte, source service access point. If the subsequent type is IP, the value is set to 0x06.

▪ Ctrl: 1 byte. This field is usually set to 0x03, indicating unnumbered IEEE 802.2 information of a connectionless service.

• A MAC address, as defined and standardized in IEEE 802, indicates the position of a network device. All Ethernet NICs that comply with the IEEE 802 standard must have a MAC address. The MAC address varies according to the NIC.

• Each Ethernet device has a unique MAC address before delivery. Then, why is an IP address assigned to each host? In other words, if each host is assigned a unique IP address, why does a unique MAC address need to be embedded in a network device (such as a NIC) during production? • The main causes are as follows: ▫ IP addresses are assigned based on the network topology, and MAC addresses are assigned based on the manufacturer. If route selection is based on the manufacturer, this solution is not feasible. ▫ When two-layer addressing is used, devices are more flexible and easy to maintain. ▪ For example, if an Ethernet NIC is faulty, you can replace it without changing its IP address. If an IP host is moved from one network to another, a new IP address can be assigned to the IP host with no need for replacing the NIC with a new one. • Conclusion: ▫ An IP address uniquely identifies a network node. Data on different network segments can be accessed using IP addresses.

▫ A MAC address uniquely identifies a NIC. Data on a single network segment can be accessed using MAC addresses.

• A MAC Address, which is 48 bits (6 bytes) in length, is a 12-digit hexadecimal number.

• A manufacturer must register with the IEEE to obtain a 24-bit (3-byte) vendor code, which is also called OUI, before producing a NIC. • The last 24 bits are assigned by a vendor and uniquely identify a NIC produced by the vendor.

• MAC addresses fall into the following types: ▫ Unicast MAC address: is also called the physical MAC address. A unicast MAC address uniquely identifies a terminal on an Ethernet network and is a globally unique hardware address.

▪ A unicast MAC address identifies a single node on a link. ▪ A frame whose destination MAC address is a unicast MAC address is sent to a single node. ▪ A unicast MAC address can be used as either the source or destination address. ▪ Note that unicast MAC addresses are globally unique. When two terminals with the same MAC address are connected to a Layer 2 network (for example, due to incorrect operations), a communication failure occurs (for example, the two terminals fail to communicate with each other). The communication between the two terminals and other devices may also fail.

• Frames on a LAN can be sent in three modes: unicast, broadcast, and multicast. • In unicast mode, frames are sent from a single source to a single destination. ▫ Each host interface is uniquely identified by a MAC address. In the OUI of a MAC address, the eighth bit of the first byte indicates the address type. For a host MAC address, this bit is fixed at 0, indicating that all frames with this MAC address as the destination MAC address are sent to a unique destination. ▫ In a broadcast domain, all hosts can receive unicast frames from the source host. However, if other hosts find that the destination address of a frame is different from the local MAC address, they discard the frame. Only the destination host can receive and process the frame.

• In broadcast mode, frames are sent from a single source to all hosts on the shared Ethernet. ▫ The destination MAC address of a broadcast frame is a hexadecimal address in the format of FF-FF-FF-FF-FF-FF. All hosts that receive the broadcast frame must receive and process the frame. ▫ In broadcast mode, a large amount of traffic is generated, which decreases the bandwidth utilization and affects the performance of the entire network. ▫ The broadcast mode is usually used when all hosts on a network need to receive and process the same information.

• The multicast mode is more efficient than the broadcast mode. ▫ Multicast forwarding can be considered as selective broadcast forwarding. Specifically, a host listens for a specific multicast address, and receives and processes frames whose destination MAC address is the multicast MAC address.

▫ A multicast MAC address and a unicast MAC address are distinguished by the eighth bit in the first byte. The eighth bit of a multicast MAC address is 1. ▫ The multicast mode is used when a group of hosts (not all hosts) on the network need to receive the same information and other hosts are not affected.

• A typical campus network consists of different devices, such as routers, switches, and firewalls. Generally, a campus network adopts the multi-layer architecture which includes the access layer, aggregation layer, core layer, and egress layer.

• Layer 2 Ethernet switch: ▫ On a campus network, a switch is the device closest to end users and is used to connect terminals to the campus network. Switches at the access layer are typically Layer 2 switches.

▫ A Layer 2 switch works at the second layer of the TCP/IP model, which is the data link layer, and forwards data packets based on MAC addresses. • Layer 3 Ethernet switch: ▫ Routers are required to implement network communication between different LANs. As data communication networks expand and more services emerge on the networks, increasing traffic needs to be transmitted between networks. Routers cannot adapt to this development trend because of their high costs, low forwarding performance, and small interface quantities. New devices capable of high-speed Layer 3 forwarding are required. Layer 3 switches are such devices. • Note that the switches involved in this course refer to Layer 2 Ethernet switches.

• Layer 2 switches work at the data link layer and forward frames based on MAC addresses. Switch interfaces used to send and receive data are independent of each other. Each interface belongs to a different collision domain, which effectively isolates collision domains on the network. • Layer 2 switches maintain the mapping between MAC addresses and interfaces by learning the source MAC addresses of Ethernet frames. The table that stores the mapping between MAC addresses and interfaces is called a MAC address table. Layer 2 switches look up the MAC address table to determine the interface to which frames are forwarded based on the destination MAC address.

• A MAC address table records the mapping between MAC addresses and interfaces of other devices learned by a switch. When forwarding a frame, the switch looks up the MAC address table based on the destination MAC address of the frame. If the MAC address table contains the entry corresponding to the destination MAC address of the frame, the frame is directly forwarded through the outbound interface in the entry. If the MAC address table does not contain the entry corresponding to the destination MAC address of the frame, the switch floods the frame on all interfaces except the interface that receives the frame.

• A switch forwards each frame that enters an interface over a transmission medium. The basic function of a switch is to forward frames. • A switch processes frames in three ways: flooding, forwarding, and discarding. ▫ Flooding: The switch forwards the frames received from an interface to all other interfaces. ▫ Forwarding: The switch forwards the frames received from an interface to another interface. ▫ Discarding: The switch discards the frames received from an interface.

• If a unicast frame enters a switch interface over a transmission medium, the switch searches the MAC address table for the destination MAC address of the frame. If the MAC address cannot be found, the switch floods the unicast frame. • If a broadcast frame enters a switch interface over a transmission medium, the switch directly floods the broadcast frame instead of searching the MAC address table for the destination MAC address of the frame. • As shown in this figure: ▫ Scenario 1: Host 1 wants to access host 2 and sends a unicast frame to the switch. After receiving the unicast frame, the switch searches the MAC address table for the destination MAC address of the frame. If the destination MAC address does not exist in the table, the switch floods the frame. ▫ Scenario 2: Host 1 wants to access host 2 but does not know the MAC address of host 2. Host 1 sends an ARP Request packet, which is a broadcast frame to the switch. The switch then floods the broadcast frame.

• If a unicast frame enters a switch interface over a transmission medium, the switch searches the MAC address table for the destination MAC address of the frame. If the corresponding entry is found in the MAC address table, the switch checks whether the interface number corresponding to the destination MAC address is the number of the interface through which the frame enters the switch over the transmission medium. If not, the switch forwards the frame to the interface corresponding to the destination MAC address of the frame in the MAC address table. The frame is then sent out from this interface. • As shown in this figure,

▫ host 1 wants to access host 2 and sends a unicast frame to the switch. After receiving the unicast frame, the switch finds the corresponding entry in the MAC address table and forwards the frame in point-to-point mode.

• If a unicast frame enters a switch interface over a transmission medium, the switch searches the MAC address table for the destination MAC address of the frame. If the corresponding entry is found in the MAC address table, the switch checks whether the interface number corresponding to the destination MAC address in the MAC address table is the number of the interface through which the frame enters the switch over the transmission medium. If yes, the switch discards the frame. • As shown in this figure: ▫ Host 1 wants to access host 2 and sends a unicast frame to switch 1. After receiving the unicast frame, switch 1 searches the MAC address table for the destination MAC address of the frame. If the destination MAC address does not exist in the table, switch 1 floods the frame. ▫ After receiving the frame, switch 2 finds that the interface corresponding to the destination MAC address is the interface that receives the frame. In this case, switch 2 discards the frame.

• In the initial state, a switch does not know the MAC address of a connected host. Therefore, the MAC address table is empty.

• If host 1 wants to send data to host 2 (assume that host 1 has obtained the IP address and MAC address of host 2), host 1 encapsulates the frame with its own source IP address and source MAC address. • After receiving the frame, the switch searches its own MAC address table. If no matching entry is found in the table, the switch considers the frame an unknown unicast frame.

• The switch floods the received frame because it is an unknown unicast frame. • In addition, the switch records the source MAC address and interface number of the received frame in the MAC address table. • Note that the dynamically learned entries in a MAC address table are not always valid. Each entry has a lifespan. If an entry is not updated within the lifespan, the entry will be deleted. This lifespan is called the aging time. For example, the default aging time of Huawei S series switches is 300s.

• All hosts on a broadcast network receive the frame, but only host 2 processes the frame because the destination MAC address is the MAC address of host 2. • Host 2 sends a reply frame, which is also a unicast data frame, to host 1.

• After receiving the unicast frame, the switch checks its MAC address table. If a matching entry is found, the switch forwards the frame through the corresponding interface. • In addition, the switch records the source MAC address and interface number of the received frame in the MAC address table.

• Before sending a packet, host 1 needs to encapsulate information, including the source and destination IP addresses and the source and destination MAC addresses, into the packet.

• To encapsulate packet, host 1 searches the local ARP cache table. In the initial state, the ARP cache table of host 1 is empty. • For the switch that is just powered on, in the initial state, the MAC address table is also empty.

• Host 1 sends an ARP Request packet to request for the destination MAC address. • After receiving a frame, the switch searches the MAC address table. If no matching entry is found in the table, the switch floods the frame to other interfaces other than the interface receiving the frame.

• The switch records the source MAC address and interface number of the received frame in the MAC address table.

• After receiving the ARP Request packet, host 2 processes the packet and sends an ARP Reply packet to host 1. • After receiving a frame, the switch searches the MAC address table. If the corresponding entry is found in the table, the switch forwards the frame to the corresponding interface and records the source MAC address and interface number of the received frame in the MAC address table. • After receiving the ARP Reply packet from host 2, host 1 records the corresponding IP address and MAC address in its ARP cache table and encapsulates its packets to access host 2.

1. A 2. B

• Broadcast domain: ▫ The preceding figure shows a typical switching network with only PCs and switches. If PC1 sends a broadcast frame, the switches flood the frame on the network. As a result, all the other PCs receive the frame.

▫ The range that broadcast frames can reach is called a Layer 2 broadcast domain (broadcast domain for short). A switching network is a broadcast domain. • Network security and junk traffic problems: ▫ Assume that PC1 sends a unicast frame to PC2. The MAC address entry of PC2 exists in the MAC address tables of SW1, SW3, and SW7 rather than SW2 and SW5. In this case, SW1 and SW3 forward the frame in point-to-point mode, SW7 discards the frame, and SW2 and SW5 flood the frame. As a result, although PC2 receives the unicast frame, other PCs on the network also receive the frame that should not be received. • The larger the broadcast domain is, the more serious network security and junk traffic problems are.

• The VLAN technology is introduced to solve the problems caused by large broadcast domains. ▫ By deploying VLANs on switches, you can logically divide a large broadcast domain into several small broadcast domains. This effectively improves network security, lowers junk traffic, and reduces the number of required network resources. • VLAN characteristics: ▫ Each VLAN is a broadcast domain. Therefore, PCs in the same VLAN can directly communicate at Layer 2. PCs in different VLANs, by contrast, can only communicate at Layer 3 instead of directly communicating at Layer 2. In this way, broadcast packets are confined to a VLAN. ▫ VLAN assignment is geographically independent. • Advantages of the VLAN technology: ▫ Allows flexible setup of virtual groups. With the VLAN technology, terminals in different geographical locations can be grouped together, simplifying network construction and maintenance. ▫ Confines each broadcast domain to a single VLAN, conserving bandwidth and improving network processing capabilities. ▫ Enhances LAN security. Frames in different VLANs are separately transmitted, so that PCs in a VLAN cannot directly communicate with those in another VLAN.

▫ Improves network robustness. Faults in a VLAN do not affect PCs in other VLANs. • Note: Layer 2 refers to the data link layer.

• This part describes VLAN principles from the following three aspects: VLAN identification, VLAN assignment, and VLAN frame processing on switches.

• As shown in the figure, after receiving a frame and identifying the VLAN to which the frame belongs, SW1 adds a VLAN tag to the frame to specify this VLAN. Then, after receiving the tagged frame sent from SW1, another switch, such as SW2, can easily identify the VLAN to which the frame belongs based on the VLAN tag. • Frames with a 4-byte VLAN tag are called IEEE 802.1Q frames or VLAN frames.

• Ethernet frames in a VLAN are mainly classified into the following types: ▫ Tagged frames: Ethernet frames for which a 4-byte VLAN tag is inserted between the source MAC address and length/type fields according to IEEE 802.1Q ▫ Untagged frames: frames without a 4-byte VLAN tag • Main fields in a VLAN frame: ▫ TPID: a 16-bit field used to identify the type of a frame. ▪ The value 0x8100 indicates an IEEE 802.1Q frame. A device that does not support 802.1Q discards 802.1Q frames. ▪ Device vendors can define TPID values for devices. To enable a device to identify the non-802.1Q frames sent from another device, you can change the TPID on the device to be the same as that device. ▫ PRI: a 3-bit field used to identify the priority of a frame. It is mainly used for QoS. ▪ The value of this field is an integer ranging from 0 to 7. A larger value indicates a higher priority. If congestion occurs, a switch preferentially sends frames with the highest priority.

• PCs send only untagged frames. After receiving such an untagged frame, a switch that supports the VLAN technology needs to assign the frame to a specific VLAN based on certain rules. • Available VLAN assignment methods are as follows:

▫ Interface-based assignment: assigns VLANs based on switch interfaces. ▪ A network administrator preconfigures a port VLAN ID (PVID) for each switch interface. When an untagged frame arrives at an interface of a switch, the switch adds a tag carrying the PVID of the interface to the frame. The frame is then transmitted in the specified VLAN. ▫ MAC address-based assignment: assigns VLANs based on the source MAC addresses of frames. ▪ A network administrator preconfigures the mapping between MAC addresses and VLAN IDs. After receiving an untagged frame, a switch adds the VLAN tag mapping the source MAC address of the frame to the frame. The frame is then transmitted in the specified VLAN.

• Assignment rules: ▫ VLAN IDs are configured on physical interfaces of a switch. All PC-sent untagged frames arriving at a physical interface are assigned to the VLAN corresponding to the PVID configured for the interface.

• Characteristics: ▫ VLAN assignment is simple, intuitive, and easy to implement. Currently, it is the most widely used VLAN assignment method. ▫ If the switch interface to which a PC is connected changes, the VLAN to which frames sent from the PC to the interface are assigned may also change. • Default VLAN ID: PVID ▫ A PVID needs to be configured for each switch interface. All untagged frames arriving at an interface are assigned to the VLAN corresponding to the PVID configured for the interface. ▫ The default PVID is 1.

• Assignment rules: ▫ Each switch maintains a table recording the mapping between MAC addresses and VLAN IDs. After receiving a PC-sent untagged frame, a switch analyzes the source MAC address of the frame, searches the mapping table for the VLAN ID mapping the MAC address, and assigns the frame to the corresponding VLAN according to the mapping. • Characteristics: ▫ This assignment method is a bit complex but more flexible.

▫ If the switch interface to which a PC is connected changes, the VLAN to which frames sent from the PC to the interface are assigned remains unchanged because the PC's MAC address does not change. ▫ However, as malicious PCs can easily forge MAC addresses, this assignment method is prone to security risks.

• The interface-based VLAN assignment method varies according to the switch interface type. • Access interface ▫ An access interface often connects to a terminal (such as a PC or server) that cannot identify VLAN tags, or is used when VLANs do not need to be differentiated. • Trunk interface ▫ A trunk interface often connects to a switch, router, AP, or voice terminal that can receive and send both tagged and untagged frames. • Hybrid interface ▫ A hybrid interface can connect to a user terminal (such as a PC or server) that cannot identify VLAN tags or to a switch, router, AP, or voice terminal that can receive and send both tagged and untagged frames. ▫ By default, hybrid interfaces are used on Huawei devices.

• How do switch interfaces process tagged and untagged frames? First, let's have a look at access interfaces. • Characteristics of access interfaces: ▫ An access interface permits only frames whose VLAN ID is the same as the PVID of the interface. • Frame receiving through an access interface: ▫ After receiving an untagged frame, the access interface adds a tag with the VID being the PVID of the interface to the frame and then floods, forwards, or discards the tagged frame. ▫ After receiving a tagged frame, the access interface checks whether the VID in the tag of the frame is the same as the PVID. If they are the same, the interface forwards the tagged frame. Otherwise, the interface directly discards the tagged frame. • Frame sending through an access interface: ▫ After receiving a tagged frame sent from another interface on the same switch, the access interface checks whether the VID in the tag of the frame is the same as the PVID. ▪ If they are the same, the interface removes the tag from the frame and sends the untagged frame out. ▪ Otherwise, the interface directly discards the tagged frame.

• For a trunk interface, you need to configure not only a PVID but also a list of VLAN IDs permitted by the interface. By default, VLAN 1 exists in the list. • Characteristics of trunk interfaces: ▫ A trunk interface allows only frames whose VLAN IDs are in the list of VLAN IDs permitted by the interface to pass through. ▫ It allows tagged frames from multiple VLANs but untagged frames from only one VLAN to pass through. • Frame receiving through a trunk interface:

▫ After receiving an untagged frame, the trunk interface adds a tag with the VID being the PVID of the interface to the frame and then checks whether the VID is in the list of VLAN IDs permitted by the interface. If the VID is in the list, the interface forwards the tagged frame. Otherwise, the interface directly discards the tagged frame. ▫ After receiving a tagged frame, the trunk interface checks whether the VID in the tag of the frame is in the list of VLAN IDs permitted by the interface. If the VID is in the list, the interface forwards the tagged frame. Otherwise, the interface directly discards the tagged frame.

• In this example, SW1 and SW2 connect to PCs through access interfaces. PVIDs are configured for the interfaces, as shown in the figure. SW1 and SW2 are connected through trunk interfaces whose PVIDs are all set to 1. The table lists the VLAN IDs permitted by the trunk interfaces. • Describe how inter-PC access is implemented in this example.

• For a hybrid interface, you need to configure not only a PVID but also two lists of VLAN IDs permitted by the interface: one untagged VLAN ID list and one tagged VLAN ID list. By default, VLAN 1 is in the untagged VLAN ID list. Frames from all the VLANs in the two lists are allowed to pass through the hybrid interface. • Characteristics of hybrid interfaces: ▫ A hybrid interface allows only frames whose VLAN IDs are in the lists of VLAN IDs permitted by the interface to pass through. ▫ It allows tagged frames from multiple VLANs to pass through. Frames sent out from a hybrid interface can be either tagged or untagged, depending on the VLAN configuration. ▫ Different from a trunk interface, a hybrid interface allows untagged frames from multiple VLANs to pass through.

• In this example, SW1 and SW2 connect to PCs through hybrid interfaces. The two switches are connected also through this type of interface. PVIDs are configured for the interfaces, as shown in the figure. The tables list the VLAN IDs permitted by the interfaces. • Describe how PCs access the server in this example.

• The processes of adding and removing VLAN tags on interfaces are as follows: ▫ Frame receiving: ▪ After receiving an untagged frame, access, trunk, and hybrid interfaces all add a VLAN tag to the frame. Then, trunk and hybrid interfaces determine whether to permit the frame based on the VID of the frame (the frame is permitted only when the VID is a permitted VLAN ID), whereas an access interface permits the frame unconditionally. ▪ After receiving a tagged frame, an access interface permits the frame only when the VID in the tag of the frame is the same as the PVID configured for the interface, while trunk and hybrid interfaces permit the frame only when the VID in the tag of the frame is in the list of permitted VLANs. ▫ Frame sending: ▪ Access interface: directly removes VLAN tags from frames before sending the frames. ▪ Trunk interface: removes VLAN tags from frames only when the VIDs in the tags are the same as the PVID of the interface. ▪ Hybrid interface: determines whether to remove VLAN tags from frames based on the interface configuration. • Frames sent by an access interface are all untagged. On a trunk interface, only frames of one VLAN are sent without tags, and frames of other VLANs are all sent with tags. On a hybrid interface, you can specify the VLANs of which frames are sent with or without tags.

• You are advised to assign consecutive VLAN IDs to ensure proper use of VLAN resources. The most common method is interface-based VLAN assignment.

• The vlan command creates a VLAN and displays the VLAN view. If the VLAN to be created already exists, this command directly displays the VLAN view. • The undo vlan command deletes a VLAN. • By default, all interfaces are added to the default VLAN with the ID of 1. • Commands: ▫ vlan vlan-id ▪ vlan-id: specifies a VLAN ID. The value is an integer ranging from 1 to 4094. ▫ vlan batch { vlan-id1 [ to vlan-id2 ] } ▪ batch: creates VLANs in a batch. ▪ vlan-id1 [ to vlan-id2 ]: specifies the IDs of VLANs to be created in a batch. − vlan-id1: specifies a start VLAN ID.

− vlan-id2: specifies an end VLAN ID. The value of vlan-id2 must be greater than or equal to that of vlan-id1. The two parameters work together to define a VLAN range. ▪ If you do not specify to vlan-id2, the command creates only one VLAN with the ID being specified using vlan-id1. ▪ The values of vlan-id1 and vlan-id2 are both integers ranging from 1 to 4094.

• Command: port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] | all } ▫ vlan-id1 [ to vlan-id2 ]: specifies the IDs of VLANs to which a trunk interface needs to be added. ▪ vlan-id1: specifies a start VLAN ID. ▪ vlan-id2: specifies an end VLAN ID. The value of vlan-id2 must be greater than or equal to that of vlan-id1. ▪ The values of vlan-id1 and vlan-id2 are both integers ranging from 1 to 4094.

▫ all: adds a trunk interface to all VLANs. • The port trunk pvid vlan vlan-id command configures a default VLAN for a trunk interface. ▫ vlan-id: specifies the ID of the default VLAN to be created for a trunk interface. The value is an integer ranging from 1 to 4094.

• Command: port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } | all } ▫ vlan-id1 [ to vlan-id2 ]: specifies the IDs of VLANs to which a hybrid interface needs to be added. ▪ vlan-id1: specifies a start VLAN ID. ▪ vlan-id2: specifies an end VLAN ID. The value of vlan-id2 must be greater than or equal to that of vlan-id1. ▪ The values of vlan-id1 and vlan-id2 are both integers ranging from 1 to 4094. ▫ all: adds a hybrid interface to all VLANs. • Command: port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } | all } ▫ vlan-id1 [ to vlan-id2 ]: specifies the IDs of VLANs to which a hybrid interface needs to be added. ▪ vlan-id1: specifies a start VLAN ID. ▪ vlan-id2: specifies an end VLAN ID. The value of vlan-id2 must be greater than or equal to that of vlan-id1. ▪ The values of vlan-id1 and vlan-id2 are both integers ranging from 1 to 4094. ▫ all: adds a hybrid interface to all VLANs. • The port hybrid pvid vlan vlan-id command configures a default VLAN for a hybrid interface. ▫ vlan-id: specifies the ID of the default VLAN to be created for a hybrid interface. The value is an integer ranging from 1 to 4094.

Configuration roadmap: ▫ Create VLANs and add interfaces connected to PCs to the VLANs to isolate Layer 2 traffic between PCs with different services. ▫ Configure interface types and specify permitted VLANs for SW1 and SW2 to allow PCs with the same service to communicate through SW1 and SW2.

• Command: The display vlan command displays VLAN information. • Command output: ▫ Tagged/Untagged: Interfaces are manually added to VLANs in tagged or untagged mode. ▫ VID or VLAN ID: VLAN ID. ▫ Type or VLAN Type: VLAN type. The value common indicates a common VLAN. ▫ Ports: interfaces added to VLANs.

• Configuration roadmap: ▫ Create VLANs and add interfaces connected to PCs to the VLANs to isolate Layer 2 traffic between PCs with different services. ▫ Configure interface types and specify permitted VLANs for SW1 and SW2 to allow PCs to communicate with the server through SW1 and SW2.

• Command: mac-vlan mac-address mac-address [ mac-address-mask | mac-addressmask-length ] ▫ mac-address: specifies the MAC address to be associated with a VLAN. ▪ The value is a hexadecimal number in the format of H-H-H. Each H contains one to four digits, such as 00e0 or fc01. If an H contains less than four digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0. ▪ The MAC address cannot be 0000-0000-0000, FFFF-FFFF-FFFF, or any multicast address. ▫ mac-address-mask: specifies the mask of a MAC address. ▪ The value is a hexadecimal number in the format of H-H-H. Each H contains one to four digits.

▫ mac-address-mask-length: specifies the mask length of a MAC address. ▪ The value is an integer ranging from 1 to 48. • The mac-vlan enable command enables MAC address-based VLAN assignment on an interface.

• Configuration roadmap: ▫ Create a VLAN, for example, VLAN 10. ▫ Add Ethernet interfaces on SW1 to the VLAN. ▫ Associate the MAC addresses of PCs 1 through 3 with the VLAN.

• On access and trunk interfaces, MAC address-based VLAN assignment can be used only when the MAC address-based VLAN is the same as the PVID. It is recommended that MAC address-based VLAN assignment be configured on hybrid interfaces.

• Command: The display mac-vlan { mac-address { all | mac-address [ mac-addressmask | mac-address-mask-length ] } | vlan vlan-id } command displays the configuration of MAC address-based VLAN assignment. ▫ all: displays all VLANs associated with MAC addresses. ▫ mac-address mac-address: displays the VLAN associated with a specified MAC address. ▪ The value is a hexadecimal number in the format of H-H-H. Each H contains one to four digits. ▫ mac-address-mask: specifies the mask of a MAC address. ▪ The value is a hexadecimal number in the format of H-H-H. Each H contains one to four digits. ▫ mac-address-mask-length: specifies the mask length of a MAC address. ▪ The value is an integer ranging from 1 to 48. ▫ vlan vlan-id: specifies a VLAN ID.

▪ The value is an integer ranging from 1 to 4094. • Command output: ▫ MAC Address: MAC address ▫ MASK: mask of a MAC address ▫ VLAN: ID of the VLAN associated with a MAC address ▫ Priority: 802.1p priority of the VLAN associated with a MAC address

1. AC 2. After the port trunk allow-pass vlan 2 3 command is run, the frames of VLAN 5 cannot be transmitted through the trunk interface. By default, the frames of VLAN 1 can be transmitted through the trunk interface. Therefore, the frames of VLANs 1 through 3 can all be transmitted through the interface.

• As LANs increase, more and more switches are used to implement interconnection between hosts. As shown in the figure, the access switch is connected to the upstream device through a single link. If the uplink fails, the host connected to the access switch is disconnected from the network. Another problem is the single point of failure (SPOF). That is, if the switch breaks down, the host connected to the access switch is also disconnected. • To solve this problem, switches use redundant links to implement backup. Although redundant links improve network reliability, loops may occur. Loops cause many problems, such as communication quality deterioration and communication service interruption.

• In practice, redundant links may cause loops, and some loops may be caused by human errors.

• Issue 1: Broadcast storm ▫ According to the forwarding principle of switches, if a switch receives a broadcast frame or a unicast frame with an unknown destination MAC address from an interface, the switch forwards the frame to all other interfaces except the source interface. If a loop exists on the switching network, the frame is forwarded infinitely. In this case, a broadcast storm occurs and repeated data frames are flooded on the network. ▫ In this example, SW3 receives a broadcast frame and floods it. SW1 and SW2 also forward the frame to all interfaces except the interface that receives the frame. As a result, the frame is forwarded to SW3 again. This process continues, causing a broadcast storm. The switch performance deteriorates rapidly and services are interrupted. • Issue 2: MAC address flapping

▫ A switch generates a MAC address table based on source addresses of received data frames and receive interfaces. ▫ In this example, SW1 learns and floods the broadcast frame after receiving it from GE0/0/1, forming the mapping between the MAC address 5489-98EE-788A and GE0/0/1. SW2 learns and floods the received broadcast frame. SW1 receives the broadcast frame with the source MAC address 5489-98EE-788A from GE0/0/2 and learns the MAC address again. Then, the MAC address 5489-98EE788A is switched between GE0/0/1 and GE0/0/2 repeatedly, causing MAC address

flapping.

• On an Ethernet network, loops on a Layer 2 network may cause broadcast storms, MAC address flapping, and duplicate data frames. STP is used to prevent loops on a switching network. • STP constructs a tree to eliminate loops on the switching network.

• The STP algorithm is used to detect loops on the network, block redundant links, and prune the loop network into a loop-free tree network. In this way, proliferation and infinite loops of data frames are avoided on the loop network.

• As shown in the preceding figure, switches run STP and exchange STP BPDUs to monitor the network topology. Normally, a port on SW3 is blocked to prevent the loop. When the link between SW1 and SW3 is faulty, the blocked port is unblocked and enters the forwarding state.

• Common loops are classified into Layer 2 and Layer 3 loops. • Layer 2 loops are caused by Layer 2 redundancy or incorrect cable connections. You can use a specific protocol or mechanism to prevent Layer 2 loops. • Layer 3 loops are mainly caused by routing loops. Dynamic routing protocols can be used to prevent loops and the TTL field in the IP packet header can be used to prevent packets from being forwarded infinitely.

• STP is used on Layer 2 networks of campus networks to implement link backup and eliminate loops.

• In STP, each switch has a bridge ID (BID), which consists of a 16-bit bridge priority and a 48-bit MAC address. On an STP network, the bridge priority is configurable and ranges from 0 to 65535. The default bridge priority is 32768. The bridge priority can be changed but must be a multiple of 1024. The device with the highest priority (a smaller value indicates a higher priority) is selected as the root bridge. If the priorities are the same, devices compare MAC addresses. A smaller MAC address indicates a higher priority. • As shown in the figure, the root bridge needs to be selected on the network. The three switches first compare bridge priorities. The bridge priorities of the three switches are 4096. Then the three switches compare MAC addresses. The switch with the smallest MAC address is selected as the root bridge.

• The root bridge functions as the root of a tree network. • It is the logical center, but not necessarily the physical center, of the network. The root bridge changes dynamically with the network topology. • After network convergence is completed, the root bridge generates and sends configuration BPDUs to other devices at specific intervals. Other devices process and forward the configuration BPDUs to notify downstream devices of topology changes, ensuring that the network topology is stable.

• Each port on a switch has a cost in STP. By default, a higher port bandwidth indicates a smaller port cost. • Huawei switches support multiple STP path cost calculation standards to provide better compatibility in scenarios where devices from multiple vendors are deployed. By default, Huawei switches use IEEE 802.1t to calculate the path cost.

• There may be multiple paths from a non-root bridge to the root bridge. Each path has a total cost, which is the sum of all port costs on this path. A non-root bridge compares the costs of multiple paths to select the shortest path to the root bridge. The path cost of the shortest path is called the root path cost (RPC), and a loop-free tree network is generated. The RPC of the root bridge is 0.

• Each port on an STP-enabled switch has a port ID, which consists of the port priority and port number. The value of the port priority ranges from 0 to 240, with an increment of 16. That is, the value must be an integer multiple of 16. By default, the port priority is 128. The PID is used to determine the port role.

• Switches exchange BPDUs where information and parameters are encapsulated to calculate spanning trees. • BPDUs are classified into configuration BPDUs and TCN BPDUs. • A configuration BPDU contains parameters such as the BID, path cost, and PID. STP selects the root bridge by transmitting configuration BPDUs between switches and determines the role and status of each switch port. Each bridge proactively sends configuration BPDUs during initialization. After the network topology becomes stable, only the root bridge proactively sends configuration BPDUs. Other bridges send configuration BPDUs only after receiving configuration BPDUs from upstream devices. • A TCN BPDU is sent by a downstream switch to an upstream switch when the downstream switch detects a topology change.

• STP operations: 1. Selects a root bridge. 2. Each non-root switch elects a root port. 3. Select a designated port for each network segment. 4. Blocks non-root and non-designated ports. • STP defines three port roles: designated port, root port, and alternate port. • A designated port is used by a switch to forward configuration BPDUs to the connected network segment. Each network segment has only one designated port. In most cases, each port of the root bridge is a designated port. • The root port is the port on the non-root bridge that has the optimal path to the root bridge. A switch running STP can have only one root port, but the root bridge does not have any root port. • If a port is neither a designated port nor a root port, the port is an alternate port. The alternate port is blocked.

• When a switch starts, it considers itself as the root bridge and sends configuration BPDUs to each other for STP calculation.

• What is a root bridge? ▫ The root bridge is the root node of an STP tree. ▫ To generate an STP tree, first determine a root bridge. ▫ It is the logical center, but not necessarily the physical center, of the network.

▫ When the network topology changes, the root bridge may also change. (The role of the root bridge can be preempted.) • Election process: 1. When an STP-enabled switch is started, it considers itself as the root bridge and declares itself as the root bridge in the BPDUs sent to other switches. In this case, the BID in the BPDU is the BID of each device. 2. When a switch receives a BPDU from another device on the network, it compares the BID in the BPDU with its own BID. 3. Switches exchange BPDUs continuously and compare BIDs. The switch with the smallest BID is selected as the root bridge, and other switches are non-root bridges. 4. As shown in the figure, the priorities of SW1, SW2, and SW3 are compared first. If the priorities of SW1, SW2, and SW3 are the same, MAC addresses are compared. The BID of SW1 is the smallest, so SW1 is the root bridge, and SW2 and SW3 are non-root bridges. • Note: ▫ The role of the root bridge can be preempted. When a switch with a smaller BID joins the network, the network performs STP calculation again to select a new root bridge.

• What is a root port? ▫ A non-root bridge may have multiple ports connected to a network. To ensure that a working path from a non-root bridge to a root bridge is optimal and unique, the root port needs to be determined among ports of the non-root bridge. The root port is used for packet exchange between the non-root bridge and the root bridge. ▫ After the root bridge is elected, the root bridge still continuously sends BPDUs, and the non-root bridge continuously receives BPDUs from the root bridge. Therefore, the root port closest to the root bridge is selected on all non-root bridges. After network convergence, the root port continuously receives BPDUs from the root bridge. ▫ That is, the root port ensures the unique and optimal working path between the non-root bridge and the root bridge.

• Note: A non-root bridge can have only one root port.

• What is a designated port? ▫ The working path between each link and the root bridge must be unique and optimal. When a link has two or more paths to the root bridge (the link is connected to different switches, or the link is connected to different ports of a switch), the switch (may be more than one) connected to the link must determine a unique designated port. ▫ Therefore, a designated port is selected for each link to send BPDUs along the link. • Note: Generally, the root bridge has only designated ports. • Election process:

1. The designated port is also determined by comparing RPCs. The port with the smallest RPC is selected as the designated port. If the RPCs are the same, the BID and PID are compared. 2. First, RPCs are compared.A smaller value indicates a higher priority of electing the designated port, so the switch selects the port with the smallest RPC as the designated port. 3. If the RPCs are the same, BIDs of switches at both ends of the link are compared. A smaller BID indicates a higher priority of electing the designated port, so the switch selects the port with the smallest BID as the designated port. 4. If the BIDs are the same, PIDs of switches at both ends of the link are compared. A smaller PID indicates a higher priority of electing the designated port, so the switch selects the port with the smallest PID as the designated port.

• What is a non-designated port (alternate port)? ▫ After the root port and designated port are determined, all the remaining nonroot ports and non-designated ports on the switch are called alternate ports. • Blocking alternate ports ▫ STP logically blocks the alternate ports. That is, the ports cannot forward the frames (user data frames) generated and sent by terminal computers. ▫ Once the alternate port is logically blocked, the STP tree (loop-free topology) is generated.

• Note: ▫ The blocked port can receive and process BPDUs. ▫ The root port and designated port can receive and send BPDUs and forward user data frames.

• As shown in the figure, the root bridge is selected first. If the three switches have the same bridge priority, the switch with the smallest MAC address is selected as the root bridge. • GE0/0/1 on SW2 is closest to the root bridge and has the smallest RPC, so GE0/0/1 on SW2 is the root port. Similarly, GE0/0/1 on SW3 is also the root port. • Then designated ports are selected. SW1 is elected as the root bridge, so GE0/0/0 and GE0/0/1 on SW1 are designated ports. GE0/0/2 on SW2 receives configuration BPDUs from SW3 and compares the BIDs of SW2 and SW3. SW2 has a higher BID than SW3, so GE0/0/2 on SW2 is the designated port. • GE0/0/2 on SW3 is the alternate port.

• As shown in the figure, the root bridge is selected first. If the three switches have the same bridge priority, the switch with the smallest MAC address is selected as the root bridge. • Then the root port is selected. The total bandwidth between GE0/0/1 on SW2 and the root bridge is 1000 Mbit/s, and the total bandwidth between GE0/0/2 on SW2 and the root bridge is 1000 Mbit/s. The smaller the bandwidth, the smaller the cost. Therefore, GE0/0/1 on SW2 is the root port. Similarly, GE0/0/1 on SW3 is the root port. • SW1 is selected as the root bridge, so GE0/0/0 and GE0/0/1 on SW1 are designated ports. GE0/0/2 on SW2 receives configuration BPDUs from SW3 and compares the BIDs of SW2 and SW3. SW2 has a higher BID than SW3, so GE0/0/2 on SW2 is the designated port. • GE0/0/2 on SW3 is the alternate port.

• As shown in the figure, the root bridge is selected first. If the four switches have the same bridge priority, the switch with the smallest MAC address is selected as the root bridge. • GE0/0/1 on SW2 is closest to the root bridge and has the smallest RPC. Therefore, GE0/0/1 on SW2 is the root port. Similarly, GE0/0/2 on SW3 is the root port. The two ports on SW4 have the same RPC. The BID of SW2 connected to GE0/0/1 on SW4 and the BID of SW3 connected to GE0/0/2 on SW4 are compared. The smaller the BID, the higher the priority. Given this, GE0/0/1 on SW4 is selected as the root port. • Then designated ports are selected. SW1 is elected as the root bridge, so GE0/0/0 and GE0/0/1 on SW1 are designated ports. GE0/0/2 on SW2 receives configuration BPDUs from SW4 and compares the BIDs of SW2 and SW4. SW2 has a higher BID than SW4, so GE0/0/2 on SW2 is the designated port, and GE0/0/1 on SW3 is the designated port. • GE0/0/2 on SW4 is the alternate port.

• As shown in the figure, the root bridge is selected first. If the two switches have the same bridge priority, the switch with a smaller MAC address is selected as the root bridge. SW1 is selected as the root bridge. • Then the root port is selected. The two ports on SW2 have the same RPC and BID. The PIDs of the two ports are compared. The PID of G0/0/1 on SW2 is 128.1, and the PID of G0/0/2 on SW2 is 128.2. The smaller the PID, the higher the priority. Therefore, G0/0/1 of SW2 is the root port. • SW1 is the root bridge, so GE0/0/1 and GE0/0/2 on SW1 are designated ports. • GE0/0/2 on SW2 is the alternate port.

• The figure shows the STP port state transition. The STP-enabled device has the following five port states: • Forwarding: A port can forward user traffic and BPDUs. Only the root port or designated port can enter the Forwarding state.

• Learning: When a port is in Learning state, a device creates MAC address entries based on user traffic received on the port but does not forward user traffic through the port. The Learning state is added to prevent temporary loops. • Listening: A port in Listening state can forward BPDUs, but cannot forward user traffic.

• Blocking: A port in Blocking state can only receive and process BPDUs, but cannot forward BPDUs or user traffic. The alternate port is in Blocking state. • Disabled: A port in Disabled state does not forward BPDUs or user traffic.

• Root bridge fault: ▫ On a stable STP network, a non-root bridge periodically receives BPDUs from the root bridge. ▫ If the root bridge fails, the downstream switch stops sending BPDUs. As a result, the downstream switch cannot receive BPDUs from the root bridge. ▫ If the downstream switch does not receive BPDUs, the Max Age timer (the default value is 20s) expires. As a result, the record about the received BPDUs becomes invalid. In this case, the non-root bridges send configuration BPDUs to each other to elect a new root bridge. • Port state: ▫ The alternate port of SW3 enters the Listening state from the Blocking state after 20s and then enters the Learning state. Finally, the port enters the Forwarding state to forward user traffic. • Convergence time: ▫ It takes about 50s to recover from a root bridge failure, which is equal to the value of the Max Age timer plus twice the value of the Forward Delay timer.

• Direct link fault: ▫ When two switches are connected through two links, one is the active link and the other is the standby link. ▫ When the network is stable, SW2 detects that the link of the root port is faulty, and the alternate port enters the Forwarding state. • Port state: ▫ The alternate port transitions from the Blocking state to the Listening, Learning, Forwarding states in sequence.

• Convergence speed: ▫ If a direct link fails, the alternate port restores to the Forwarding state after 30s.

• Indirect link fault: ▫ On a stable STP network, a non-root bridge periodically receives BPDUs from the root bridge. ▫ If the link between SW1 and SW2 is faulty (not a physical fault), SW2 cannot receive BPDUs from SW1. The Max Age timer (the default value is 20s) expires. As a result, the record about the received BPDUs becomes invalid. ▫ In this case, the non-root bridge SW2 considers that the root bridge fails and considers itself as the root bridge. Then SW2 sends its own configuration BPDU to SW3 to notify SW3 that it is the new root bridge. ▫ During this period, the alternate port of SW3 does not receive any BPDU that contains the root bridge ID. After the Max Age timer expires, the port enters the Listening state and starts to forward the BPDU that contains the root bridge ID from the upstream device to SW2. ▫ After the Max Age timer expires, SW2 and SW3 receive BPDUs from each other almost at the same time and perform STP recalculation. SW2 finds that the BPDU sent by SW3 is superior, so it does not declare itself as the root bridge and re-determines the port role. • Port state: ▫ The alternate port of SW3 enters the Listening state from the Blocking state after 20s and then enters the Learning state. Finally, the port enters the Forwarding state to forward user traffic.

• Convergence time: ▫ It takes about 50s to recover from an indirect link failure, which is equal to the value of the Max Age timer plus twice the value of the Forward Delay timer.

• On a switching network, a switch forwards data frames based on the MAC address table. By default, the aging time of MAC address entries is 300 seconds. If the spanning tree topology changes, the forwarding path of the switch also changes. In this case, the entries that are not aged in a timely manner in the MAC address table may cause data forwarding errors. Therefore, the switch needs to update the MAC address entries in a timely manner after the topology changes. • In this example, the MAC address entry on SW2 defines that packets can reach Host A through GE0/0/3 and reach Host B through GE0/0/3. The root port of SW3 is faulty, causing the spanning tree topology to re-converge. After the spanning tree topology re-converges, Host B cannot receive frames sent by Host A. This is because the aging time of MAC address entries is 300s. After a frame sent from Host A to Host B reaches SW2, SW3 forwards the frame through GE0/0/3.

• When the network topology changes, the root bridge sends TCN BPDUs to notify other devices of the topology change. The root bridge generates TCs to instruct other switches to age existing MAC address entries. • The process of topology change and MAC address entry update is as follows:

1. After SW3 detects the network topology change, it continuously sends TCN BPDUs to SWB. 2. After SW2 receives the TCN BPDUs from SW3, it sets the TCA bit in the Flags field of the BPDUs to 1 and sends the BPDUs to SW3, instructing SW3 to stop sending TCN BPDUs. 3. SW2 forwards the TCN BPDUs to the root bridge. 4. SW1 sets the TC bit in the Flags field of the configuration BPDU to 1 and sends the configuration BPDU to instruct the downstream device to change the aging time of MAC address entries from 300s to the value of the Forward Delay timer (15s by default). 5. The incorrect MAC address entries on SW2 are automatically deleted after 15s at most. Then, SW2 starts to learn MAC address entries again and forwards packets based on the learned MAC address entries.

• The IEEE 802.1w standard released in 2001 defines RSTP. RSTP is an improvement on STP and implements fast network topology convergence. • RSTP is evolved from STP and has the same working mechanism as STP. When the topology of a switching network changes, RSTP can use the Proposal/Agreement mechanism to quickly restore network connectivity. • RSTP removes three port states, defines two new port roles, and distinguishes port attributes based on port states and roles. In addition, RSTP provides enhanced features and protection measures to ensure network stability and fast convergence. • RSTP is backward compatible with STP, which is not recommended because STP slow convergence is exposed. • Improvements made in RSTP: ▫ RSTP processes configuration BPDUs differently from STP.

▪ When the topology becomes stable, the mode of sending configuration BPDUs is optimized. ▪ RSTP uses a shorter timeout interval of BPDUs. ▪ RSTP optimizes the method of processing inferior BPDUs.

▫ RSTP changes the configuration BPDU format and uses the Flags field to describe port roles. ▫ RSTP topology change processing: Compared with STP, RSTP is optimized to

accelerate the response to topology changes.

• From the perspective of configuration BPDU transmission: ▫ An alternate port is blocked after learning a configuration BPDU sent from another network bridge. ▫ A backup port is blocked after learning a configuration BPDU sent from itself. • From the perspective of user traffic: ▫ An alternate port acts as a backup of the root port and provides an alternate path from the designated bridge to the root bridge. ▫ A backup port backs up a designated port and provides a backup path from the root bridge to the related network segment.

• In STP, it takes 15 seconds for the port of a switch connected to a user terminal to transition from Disabled to Forwarding. During this period, the user terminal cannot access the Internet. If the network changes frequently, the Internet access status of the user terminal is unstable. • An edge port is directly connected to a user terminal and is not connected to any switching device. An edge port does not receive or process configuration BPDUs and does not participate in RSTP calculation. It can transition from Disabled to Forwarding without any delay. An edge port becomes a common STP port once it receives a configuration BPDU. The spanning tree needs to be recalculated, which leads to network flapping.

• RSTP deletes two port states defined in STP, reducing the number of port states to three. 1. A port in Discarding state does not forward user traffic or learn MAC addresses. 2. A port in Learning state does not forward user traffic but learns MAC addresses. 3. A port in Forwarding state forwards user traffic and learns MAC addresses.

• VBST brings in the following benefits: ▫ Eliminates loops. ▫ Implements link multiplexing and load balancing, and therefore improves link use efficiency. ▫ Reduces configuration and maintenance costs. • If a great number of VLANs exist on a network, spanning tree computation for each VPN consumes a huge number of switch processor resources.

• Intelligent Stack (iStack) enables multiple iStack-capable switches to function as a logical device. • Before an iStack system is set up, each switch is an independent entity and has its own IP address and MAC address. You need to manage the switches separately. After an iStack system is set up, switches in the iStack system form a logical entity and can be managed and maintained using a single IP address. iStack technology improves forwarding performance and network reliability, and simplifies network management.

• As shown in the figure, SW3 is connected to FW1 and FW2 through dual uplinks. In this way, Switch3 has two uplinks to the uplink device. Smart Link can be configured on SW3. In normal situations, the link on Port2 functions as a backup link. If the link on Port1 fails, Smart Link automatically switches data traffic to the link on Port2 to ensure service continuity.

• Answer: A

• Configure VLANs on the Layer 2 switch. Each VLAN uses an independent switch interface to connect to the router. • The router provides two physical interfaces as the default gateways of PCs in VLAN 10 and VLAN 20, respectively, for the PCs to communicate with each other.

• R1 connects to SW1 through a physical interface (GE 0/0/1). Two sub-interfaces (GE 0/0/1.10 and GE 0/0/1.20) are created on the physical interface and used as the default gateways of VLAN 10 and VLAN 20, respectively. • Layer 3 sub-interfaces do not support VLAN packets and discard them once received. To prevent this issue, the VLAN tags need to be removed from the packets on the subinterfaces. That is, VLAN tag termination is required.

• A sub-interface implements VLAN tag termination as follows: ▫ Removes VLAN tags from the received packets before forwarding or processing the packets. ▫ Adds VLAN tags to the packets before forwarding the packets.

• The interface interface-type interface-number.sub-interface number command creates a sub-interface. sub-interface number specifies the number of a sub-interface on a physical interface. For easy memorization, a sub-interface number is generally the same as the VLAN ID to be terminated on the sub-interface. • The dot1q termination vid command enables Dot1q VLAN tag termination for singletagged packets on a sub-interface. By default, Dot1q VLAN tag termination for singletagged packets is not enabled on sub-interfaces. The arp broadcast enable command enables ARP broadcast on a VLAN tag termination sub-interface. By default, ARP broadcast is not enabled on VLAN tag termination sub-interfaces. VLAN tag termination sub-interfaces cannot forward broadcast packets and automatically discard received ones. To allow a VLAN tag termination sub-interface to forward broadcast packets, run the arp broadcast enable command.

• The interface vlanif vlan-id command creates a VLANIF interface and displays the VLANIF interface view. vlan-id specifies the ID of the VLAN associated with the VLANIF interface. The IP address of a VLANIF interface is used as the gateway IP address of a PC and must be on the same network segment as the IP address of the PC.

• NAPT: translates the IP address and port number in an IP packet header to another IP address and port number. NAPT is mainly used to enable devices on an internal network (private IP addresses) to access an external network (public IP addresses). NAPT allows multiple private IP addresses to be mapped to the same public IP address. In this way, multiple private IP addresses can access the Internet at the same time using the same public IP address.

• This example assumes that the required ARP or MAC address entries already exist on all devices.

• Network Address Translation (NAT) translates the IP addresses in IP packet headers to other IP addresses.

1. Configure the interface as a trunk or hybrid interface to permit packets carrying VLAN

tags corresponding to terminals. 2. The source and destination IP addresses remain unchanged during packet forwarding

(without NAT), but the source and destination MAC addresses change. Each time a packet passes through a Layer 3 device, its source and destination MAC addresses change.

• As networks rapidly develop and applications become more and more diversified, various value-added services (VASs) are widely deployed. Network interruption may cause many service exceptions and huge economic losses. Therefore, the reliability of networks has become a focus.

• An Eth-Trunk can be treated as a physical Ethernet interface. The only difference between the Eth-Trunk and physical Ethernet interface is that the Eth-Trunk needs to select one or more member interfaces to forward traffic.

• The following parameters must be the same for member interfaces in an Eth-Trunk: ▫ Interface rate ▫ Duplex mode ▫ VLAN configurations: The interface type must be the same (access, trunk, or hybrid). For access interfaces, the default VLAN of the member interfaces must be the same. For trunk interfaces, the allowed VLANs and the default VLAN of the member interfaces must be the same.

• As shown in the preceding figure, four interfaces of SW1 are added to an Eth-Trunk, but the peer end of one interface is SW3 instead of SW2. In this case, some traffic is load balanced to SW3, causing communication exceptions.

• Configure an Eth-Trunk in LACP mode between SW1 and SW2 and add four interfaces to an Eth-Trunk. The four interfaces are numbered 1, 2, 3, and 4. On SW1 and SW2, set the maximum number of active interfaces in the Eth-Trunk to 2 and retain the default settings for the other parameters (system priority and interface priority). • SW1 and SW2 send LACPDUs through member interfaces 1, 2, 3, and 4. • When receiving LACPDUs from the peer end, SW1 and SW2 compare the system priorities, which use the default value 32768 and are the same. Then they compare MAC addresses. The MAC address of SW1 is 4c1f-cc58-6d64, and the MAC address of SW2 is 4c1f-cc58-6d65. SW1 has a smaller MAC address and is preferentially elected as the Actor.

• LACP uses the following flags in an LACPDU to identify the interface status. If the three flags are set to 1, the interface is an active interface. ▫ Synchronization ▫ Collecting ▫ Distributing • If the three flags are set to 0, the interface is an inactive interface.

• If the IP addresses of packets change frequently, load balancing based on the source IP address, destination IP address, or source and destination IP addresses is more suitable for load balancing among physical links.

• If MAC addresses of packets change frequently and IP addresses are fixed, load balancing based on the source MAC address, destination MAC address, or source and destination MAC addresses is more suitable for load balancing among physical links. • If the selected load balancing mode is unsuitable for the actual service characteristics, traffic may be unevenly load balanced. Some member links have high load, but other member links are idle. For example, if the source and destination IP addresses of packets change frequently but the source and destination MAC addresses are fixed and traffic is load balanced based on the source and destination MAC addresses, all traffic is transmitted over one member link.

• The maximum number of active interfaces varies according to switch models. For example, the maximum number of active interfaces in an Eth-Trunk is 32 on the S6720HI, S6730H, S6730S, and S6730S-S, and is 16 on the S6720LI, S6720S-LI, S6720SI, and S6720S-SI. For details, see the product manual. • The minimum number of active interfaces is configured to ensure the minimum bandwidth. If the bandwidth is too small, services that require high link bandwidth may be abnormal. In this case, you can disconnect the Eth-Trunk interface to switch services to other paths through the high reliability mechanism of the network, ensuring

normal service running.

1. Packet disorder may occur if packets are load balanced to different links based on packets. If packets are load balanced to the same link based on flows, packet disorder will not occur. However, a single flow cannot make full use of the bandwidth of the entire Eth-Trunk. 2. Switches compare system priorities. A smaller value indicates a higher priority. If the system priorities are the same, the bridge MAC addresses are compared. A smaller bridge MAC address indicates a higher priority. The device with a higher priority becomes the Actor. 3. CSS and iStack simplify network management, improve network reliability, make full use of network link bandwidth, and use inter-device Eth-Trunk to construct a loopfree physical network.

• Note: ▫ The implementation of ACLs varies with vendors. This course describes the ACL technology implemented on Huawei devices. ▫ A local area network (LAN) is a computer network that connects computers in a limited area, such as a residential area, a school, a lab, a college campus, or an office building.

• Rapid network development brings the following issues to network security and QoS: ▫ Resources on the key servers of an enterprise are obtained without permission, and confidential information of the enterprise leaks, causing a potential security risk to the enterprise.

▫ The virus on the Internet spreads to the enterprise intranet, threatening intranet security. ▫ Network bandwidth is occupied by services randomly, and bandwidth for delaysensitive services such as voice and video cannot be guaranteed, lowering user experience. • These issues seriously affect network communication, so network security and QoS need to be improved urgently. For example, a tool is required to filter traffic.

• ACLs accurately identify and control packets on a network to manage network access behaviors, prevent network attacks, and improve bandwidth utilization. In this way, ACLs ensure security and QoS. ▫ An ACL is a set of sequential rules composed of permit or deny statements. It classifies packets by matching fields in packets. ▫ An ACL can match elements such as source and destination IP addresses, source and destination port numbers, and protocol types in IP datagrams. It can also match routes. • In this course, traffic filtering is used to describe ACLs.

• ACL composition: ▫ ACL number: An ACL is identified by an ACL number. Each ACL needs to allocated an ACL number. The ACL number range varies according to the ACL type, which will be described later. ▫ Rule: As mentioned above, an ACL consists of several permit/deny statements, and each statement is a rule of the ACL. ▫ Rule ID: Each ACL rule has an ID, which identifies the rule. Rule IDs can be manually defined or automatically allocated by the system. A rule ID ranges from 0 to 4294967294. All rules are arranged in the ascending order of rule ID.

▫ Action: Each rule contains a permit or deny action. ACLs are usually used together with other technologies, and the meanings of the permit and deny actions may vary according to scenarios. ▪ For example, if an ACL is used together with traffic filtering technology (that is, the ACL is invoked in traffic filtering), the permit action allows traffic to pass and the deny action rejects traffic. ▫ Matching option: ACLs support various matching options. In this example, the matching option is a source IP address. The ACL also supports other matching options, such as Layer 2 Ethernet frame header information (including source and destination MAC addresses and Ethernet frame protocol type), Layer 3 packet information (including destination address and protocol type), and Layer 4 packet information (including TCP/UDP port number). • Question: What does rule 5 permit source 1.1.1.0 0.0.0.255 mean? This will be introduced later.

• Rule ID and step: ▫ Rule ID: Each ACL rule has an ID, which identifies the rule. Rule IDs can be manually defined or automatically allocated by the system. ▫ Step: When the system automatically allocates IDs to ACL rules, the increment between neighboring rule IDs is called a step. The default step is 5. Therefore, rule IDs are 5, 10, 15, and so on. ▪ If a rule is manually added to an ACL but no ID is specified, the system allocates to this rule an ID that is greater than the largest rule ID in the ACL and is the smallest integer multiple of the step value. ▪ The step can be changed. For example, if the step is changed to 2, the system automatically renumbers the rule IDs as 2, 4, 6... • What is the function of a step? Why can't rules 1, 2, 3, and 4 be directly used?

▫ First, let's look at a question. How do I add a rule? ▫ We can manually add rule 11 between rules 10 and 15. ▫ Therefore, setting a step of a ceR1in length facilitates rule insertion between existing rules.

• When an IP address is matched, a 32-bit mask is followed. The 32-bit mask is called a wildcard. • A wildcard is also expressed in dotted decimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. • Let's look at two rules: ▫ rule 5: denies the packets with the source IP address 10.1.1.1. Because the wildcard comprises all 0s, each bit must be strictly matched. Specifically, the host IP address 10.1.1.1 is matched. ▫ rule 15: permits the packets with the source IP address on the network segment 10.1.1.0/24. The wildcard is 0.0.0.11111111, and the last eight bits are 1s, indicating that the bits do not matter. Therefore, the last eight bits of 10.1.1.xxxxxxxx can be any value, and the 10.1.1.0/24 network segment is matched. • For example, if we want to exactly match the network segment address corresponding to 192.168.1.1/24, what is the wildcard? ▫ It can be concluded that the network bits must be strictly matched and the host bits do not matter. Therefore, the wildcard is 0.0.0.255.

• How do I set the wildcard to match the odd IP addresses in the network segment 192.168.1.0/24? ▫ First, let's look at the odd IP addresses, such as 192.168.1.1, 192.168.1.5, and 192.168.1.11.

▫ After the last eight bits are converted into binary numbers, the corresponding addresses are 192.168.1.00000001, 192.168.1.00000101, and 192.168.1.00001011. ▫ We can see the common points. The seven most significant bits of the last eight bits can be any value, and the least significant bit is fixed to 1. Therefore, the answer is 192.168.1.1 0.0.0.254 (0.0.0.11111110). • In conclusion, 1 or 0 in a wildcard can be inconsecutive.

• There are two special wildcards.

▫ If a wildcard comprising all 0s is used to match an IP address, the address is exactly matched. ▫ If a wildcard comprising all 1s is used to match 0.0.0.0, all IP addresses are matched.

• Based on ACL rule definition methods, ACLs can be classified into the following types: ▫ Basic ACL, advanced ACL, Layer 2 ACL, user-defined ACL, and user ACL • Based on ACL identification methods, ACLs can be classified into the following types: ▫ Numbered ACL and named ACL

• Note: You can specify a number for an ACL. The ACLs of different types have different number ranges. You can also specify a name for an ACL to help you remember the ACL's purpose. A named ACL consists of a name and number. That is, you can specify an ACL number when you define an ACL name. If you do not specify a number for a named ACL, the system automatically allocates a number to it.

• Basic ACL: ▫ A basic ACL is used to match the source IP address of an IP packet. The number of a basic ACL ranges from 2000 to 2999. ▫ In this example, ACL 2000 is created. This ACL is a basic ACL. • Advanced ACL: ▫ An advanced ACL can be matched based on elements such as the source IP address, destination IP address, protocol type, and TCP or UDP source and destination port numbers in an IP packet. A basic ACL can be regarded as a subset of an advanced ACL. Compared with a basic ACL, an advanced ACL defines more accurate, complex, and flexible rules.

• The ACL matching mechanism is as follows: ▫ After receiving a packet, the device configured with an ACL matches the packet against ACL rules one by one. If the packet does not match any ACL rule, the device attempts to match the packet against the next ACL rule.

▫ If the packet matches an ACL rule, the device performs the action defined in the rule and stops the matching. • Matching process: The device checks whether an ACL is configured. ▫ If no ACL is configured, the device returns the result "negative match."

▫ If an ACL is configured, the device checks whether the ACL contains rules. ▪ If the ACL does not contain rules, the device returns the result "negative match." ▪ If the ACL contains rules, the device matches the packet against the rules in ascending order of rule ID. − If the packet matches a permit rule, the device stops matching and returns the result "positive match (permit)." − If the packet matches a deny rule, the device stops matching and returns the result "positive match (deny)." − If the packet does not match any rule in the ACL, the device returns the result "negative match."

• An ACL can consist of multiple deny or permit statements. Each statement describes a rule. Rules may overlap or conflict. Therefore, the ACL matching order is very impoR1nt. • Huawei devices support two matching orders: automatic order (auto) and configuration order (config). The default matching order is config. ▫ auto: The system arranges rules according to the precision of the rules ("depth first" principle), and matches packets against the rules in descending order of precision. ––This is complicated and is not detailed here. If you are interested in it, you can view related materials after class. ▫ config: The system matches packets against ACL rules in ascending order of rule ID. That is, the rule with the smallest ID is processed first. ––This is the matching order mentioned above. ▪ If another rule is added, the rule is added to the corresponding position, and packets are still matched in ascending order. • Matching result: ▫ First, let's understand the meaning of ACL 2000. ▪ rule 1: permits packets with the source IP address 192.168.1.1. ▪ rule 2: permits packets with the source IP address 192.168.1.2. ▪ rule 3: denies packets with the source IP address 192.168.1.3. ▪ rule 4: permits packets from all other IP addresses.

• Create a basic ACL. • [Huawei] acl [ number ] acl-number [ match-order config ] ▫ acl-number: specifies the number of an ACL. ▫ match-order config: indicates the matching order of ACL rules. config indicates the configuration order. • [Huawei] acl name acl-name { basic | acl-number } [ match-order config ] ▫ acl-name: specifies the name of an ACL. ▫ basic: indicates a basic ACL. • Configure a rule for the basic ACL. • [Huawei-acl-basic-2000] rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | time-range time-name ]

▫ rule-id: specifies the ID of an ACL rule. ▫ deny: denies the packets that match the rule. ▫ permit: permits the packets that match the rule.

• Configuration roadmap: ▫ Configure a basic ACL and traffic filtering to filter packets from a specified network segment. • Procedure: 1. Configure IP addresses and routes on the router. 2. Create ACL 2000 and configure ACL rules to deny packets from the network segment 192.168.1.0/24 and permit packets from other network segments. 3. Configure traffic filtering. • Note: ▫ The traffic-filter command applies an ACL to an interface to filter packets on the interface. ▫ Command format: traffic-filter { inbound | outbound } acl { acl-number | name acl-name } ▪ inbound: configures ACL-based packet filtering in the inbound direction of an interface. ▪ outbound: configures ACL-based packet filtering in the outbound direction of an interface. ▪ acl: filters packets based on an IPv4 ACL.

• Create an advanced ACL. • [Huawei] acl [ number ] acl-number [ match-order config ] ▫ acl-number: specifies the number of an ACL. ▫ match-order config: indicates the matching order of ACL rules. config indicates the configuration order. • [Huawei] acl name acl-name { advance | acl-number } [ match-order config ] ▫ acl-name: specifies the name of an ACL. ▫ advance: indicates an advanced ACL.

• Configure a rule for the advanced ACL. • When the protocol type is IP: ▫ rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] ] ] ▪ ip: indicates that the protocol type is IP. ▪ destination { destination-address destination-wildcard | any }: specifies the destination IP address of packets that match the ACL rule. If no destination address is specified, packets with any destination addresses are matched. ▪ dscp dscp: specifies the differentiated services code point (DSCP) of packets that match the ACL rule. The value ranges from 0 to 63. ▪ tos tos: specifies the ToS of packets that match the ACL rule. The value ranges from 0 to 15. ▪ precedence precedence: specifies the precedence of packets that match the ACL rule. The value ranges from 0 to 7.

• Configuration roadmap: ▫ Configure an advanced ACL and traffic filtering to filter the packets exchanged between the R&D and marketing departments. • Procedure: 1. Configure IP addresses and routes on the router. 2. Create ACL 3001 and configure rules for the ACL to deny packets from the R&D department to the marketing department. 3. Create ACL 3002 and configure rules for the ACL to deny packets from the marketing department to the R&D department.

• Procedure: 4. Configure traffic filtering in the inbound direction of GE 0/0/1 and GE 0/0/2. • Note: ▫ The traffic-filter command applies an ACL to an interface to filter packets on the interface. ▫ Command format: traffic-filter { inbound | outbound } acl { acl-number | name acl-name } ▪ inbound: configures ACL-based packet filtering in the inbound direction of an interface. ▪ outbound: configures ACL-based packet filtering in the outbound direction of an interface. ▪ acl: filters packets based on an IPv4 ACL.

1. C 2. parameters such as the source/destination IP address, source/destination port number, protocol type, and TCP flag (SYN, ACK, or FIN).

• Authentication: determines which users can access the network. • Authorization: authorizes users to access specific services. • Accounting: records network resource utilization. • The Internet service provider (ISP) needs to authenticate the account and password of a home broadband user before allowing the user to access the Internet. In addition, the ISP records the online duration or traffic of the user. This is the most common application scenario of the AAA technology.

• The NAS manages users based on domains. Each domain can be configured with different authentication, authorization, and accounting schemes to perform authentication, authorization, and accounting for users in the domain. • Each user belongs to a domain. The domain to which a user belongs is determined by the character string following the domain name delimiter @ in the user name. For example, if the user name is user 1@domain 1, the user belongs to domain 1. If the user name does not end with @, the user belongs to the default domain.

• AAA supports three authentication modes: ▫ Non-authentication: Users are fully trusted and their identities are not checked. This authentication mode is seldom used for security purposes. ▫ Local authentication: Local user information (including the username, password, and attributes) is configured on the NAS. In this case, the NAS functions as the AAA server. Local authentication features fast processing and low operational costs. The disadvantage is that the amount of stored information is limited by device hardware. This authentication mode is often used to manage login users, such as Telnet and FTP users. ▫ Remote authentication: User information (including the username, password, and attributes) is configured on the authentication server. Remote authentication can be implemented through RADIUS or HWTACACS. The NAS functions as a client to communicate with the RADIUS or HWTACACS server.

• The AAA authorization function grants users the permission to access specific networks or devices. AAA supports the following authorization modes: ▫ Non-authorization: Authenticated users have unrestricted access rights on a network.

▫ Local authorization: Users are authorized based on the domain configuration on the NAS. ▫ Remote authorization: The RADIUS or HWTACACS server authorizes users. ▪ In HWTACACS authorization, all users can be authorized by the HWTACACS server. ▪ RADIUS authorization applies only to the users authenticated by the RADIUS server. RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed singly.

• When remote authorization is used, users can obtain authorization information from both the authorization server and NAS. The priority of the authorization information configured on the NAS is lower than that delivered by the authorization server.

• AAA supports the following accounting modes: ▫ Non-accounting: Users can access the Internet for free, and no activity log is generated. ▫ Remote accounting: Remote accounting is performed through the RADIUS server or HWTACACS server.

• Of the protocols that are used to implement AAA, RADIUS is the most commonly used. RADIUS is a distributed information exchange protocol based on the client/server structure. It implements user authentication, accounting, and authorization. • Generally, the NAS functions as a RADIUS client to transmit user information to a specified RADIUS server and performs operations (for example, accepting or rejecting user access) based on the information returned by the RADIUS server. • RADIUS servers run on central computers and workstations to maintain user authentication and network service access information. The servers receive connection requests from users, authenticate the users, and send the responses (indicating that the requests are accepted or rejected) to the clients. RADIUS uses the User Datagram Protocol (UDP) as the transmission protocol and uses UDP ports 1812 and 1813 as the authentication and accounting ports, respectively. RADIUS features high real-time performance. In addition, the retransmission mechanism and standby server mechanism are also supported, providing good reliability. • The message exchange process between the RADIUS server and client is as follows: 1. When a user accesses the network, the user initiates a connection request and sends the username and password to the RADIUS client (NAS). 2. The RADIUS client sends an authentication request packet containing the username and password to the RADIUS server.

• The authorization-scheme authorization-scheme-name command configures an authorization scheme for a domain. By default, no authorization scheme is applied to a domain. • The authentication-mode { hwtacacs | local | radius } command configures an authorization mode for the current authorization scheme. By default, local authorization is used.

• The display domain [ name domain-name ]command displays the configuration of a domain. • If the value of Domain-state is Active, the domain is activated. • If the username does not end with @, the user belongs to the default domain. Huawei devices support the following default domains: ▫ The default domain is for common users. ▫ The default_admin domain is the default domain for administrators.

• The display aaa offline-record command displays user offline records.

1. AAA supports the following authentication modes: non-authentication, local authentication, and remote authentication. AAA supports the following authorization modes: non-authorization, local authorization, and remote authorization. AAA supports two accounting modes: non-accounting and remote accounting. 2. If the domain to which a user belongs is not specified when the user is created, the user is automatically associated with the default domain (the administrator is associated with the default_admin domain).

• Because packets with private IP addresses cannot be routed and forwarded on the Internet, IP packets destined for the Internet cannot reach the egress device of the private network due to lack of routes. • If a host that uses a private IP address needs to access the Internet, NAT must be configured on the network egress device to translate the private source address in the IP data packet into a public source address.

• NAPT enables a public IP address to map multiple private IP addresses through ports. In this mode, both IP addresses and transport-layer ports are translated so that different private addresses with different source port numbers are mapped to the same public address with different source port numbers.

• DHCP: Dynamic Host Configuration Protocol • PPPoE: Point-to-Point Protocol over Ethernet

1. Static NAT and NAT Server Static NAT implements bidirectional communication, meaning that external devices are allowed to access an internal server. NAT Server is designed to allow external devices to proactively access an internal server. 2. NAPT can translate multiple private IP addresses into one public IP address, improving public IP address utilization.

• FTP supports two transfer modes: ASCII and binary. • The ASCII mode is used to transfer text files. In this mode, the sender converts characters into the ASCII code format before sending them. After receiving the converted data, the receiver converts it back into characters. The binary mode is usually used to send image files and program files. In this mode, the sender can transfer files without converting the file format. • CC: VRP system file extension

• In active mode, the FTP client uses a random port (with the number greater than 1024) to send a connection request to port 21 of the FTP server. After receiving the request, the FTP server sets up a control connection with the FTP client to transmit control messages. In the meantime, the FTP client starts to listen on port P (another random port with the number greater than 1024) and uses the PORT command to notify the FTP server. When data needs to be transmitted, the FTP server sends a connection request from port 20 to port P of the FTP client to establish a TCP connection for data transmission.

• In passive mode, the FTP client uses a random port (with the number greater than 1024) to send a connection request to port 21 of the FTP server. After receiving the request, the FTP server sets up a control connection with the FTP client to transmit control messages. In the meantime, the FTP client starts to listen on port P (another random port with the number greater than 1024) and uses the PASV command to notify the FTP server. After receiving the PASV command, the FTP server enables port N (a random port with the number greater than 1024) and uses the Enter PASV command to notify the FTP client of the opened port number. When data needs to be transmitted, the FTP client sends a connection request from port P to port N on the FTP server to establish a transmission connection for data transmission. • The active mode and passive mode differ in data connection methods and have their own advantages and disadvantages. ▫ In active mode, if the FTP client is on a private network and a NAT device is deployed between the FTP client and the FTP server, the port number and IP address carried in the PORT packet received by the FTP server are not those of the FTP client converted using NAT. Therefore, the FTP server cannot initiate a TCP connection to the private IP address carried in the PORT packet. In this case, the private IP address of the FTP client is not accessible on the public network. ▫ In passive mode, the FTP client initiates a connection to an open port on the FTP server. If the FTP server lives in the internal zone of a firewall and inter-zone communication between this internal zone and the zone where the FTP client resides is not allowed, the client-server connection cannot be set up. As a result, FTP transfer fails.

• TFTP supports five packet formats: ▫ RRQ: read request packet ▫ WRQ: write request packet ▫ DATA: data transmission packet ▫ ACK: acknowledgment packet, which is used to acknowledge the receipt of a packet from the peer end ▫ ERROR: error control packet

• Currently, mainstream network devices, such as access controllers (ACs), access points (APs), firewalls, routers, switches, and servers, can function as both the Telnet server and Telnet client.

• If a DHCP client does not renew the lease of an assigned IP address after the lease expires, the DHCP server determines that the DHCP client no longer needs to use this IP address, reclaims it, and may assign it to another client.

• A client's DHCP Request packet is broadcast, so other DHCP servers on the network know that the client has selected a particular IP address assigned by the DHCP server. This ensures that other DHCP servers can release this IP address assigned to the client through the unicast DHCP Offer packet.

• URL: uniquely identifies the location of a web page or other resources on the Internet. A URL can contain more detail, such as the name of a page of hypertext, usually identified by the file name extension .html or .htm.

• Advanced Research Projects Agency Network (ARPANET), the predecessor of the Internet, provides the mappings between host names and IP addresses. However, the number of hosts was small at that time. Only one file (HOSTS.txt) is required to maintain the name-to-address mapping. The HOSTS.txt file is maintained by the network information center (NIC). Users who change their host names send their changes to the NIC by email, and the NIC periodically updates the HOSTS.txt file. • However, after ARPANET uses TCP/IP, the number of network users increases sharply, and it seems difficult to manually maintain the HOSTS.txt file. The following issues may occur:

▫ Name conflict: Although the NIC can ensure the consistency of host names that it manages, it is difficult to ensure that the host names are not randomly changed to be the same as those being used by others. ▫ Consistency: As the network scale expands, it is hard to keep the HOSTS.txt file consistent. The names of other hosts may have been changed several times before the HOSTS.txt file of the current host is updated. • Therefore, DNS is introduced.

• The DNS adopts a distributed architecture. The database on each server stores only the mapping between some domain names and IP addresses.

• The iterative query is different from the recursive query in that the DNS response returned by DNS server 1 contains the IP address of another DNS server (DNS server 2).

• Currently, mainstream network devices, such as access controllers (ACs), access points (APs), firewalls, routers, switches, and servers, basically serve as NTP clients, and some of the network devices can also serve as NTP servers.

1. ASCII mode; The binary mode is more applicable to the transmission of non-text files that cannot be converted, such as EXE, BIN, and CC (VRP version file extension) files. 2. A client's DHCP Request packet is broadcast, so other DHCP servers on the network know that the client has selected a particular IP address assigned by the DHCP server. This ensures that other DHCP servers can release this IP address assigned to the client through the unicast DHCP Offer packet. 3. HTML is used to display page content, URL is used to locate the network location of a document or file, and HTTP is used for requesting and transferring files.

• A wireless local area network (WLAN) is constructed using wireless technologies. ▫ Wireless technologies mentioned here include not only Wi-Fi, but also infrared, Bluetooth, and ZigBee. ▫ WLAN technology allows users to easily access a wireless network and move around within the coverage of the wireless network. • Wireless networks can be classified into WPAN, WLAN, WMAN, and WWAN based on the application scope. ▫ Wireless personal area network (WPAN): Bluetooth, ZigBee, NFC, HomeRF, and UWB technologies are commonly used. ▫ Wireless local area network (WLAN): The commonly used technology is Wi-Fi. WPAN-related technologies may also be used in WLANs. ▫ Wireless metropolitan area network (WMAN): Worldwide Interoperability for Microwave Access (WiMAX) is commonly used. ▫ Wireless wide area network (WWAN): GSM, CDMA, WCDMA, TD-SCDMA, LTE, and 5G technologies are commonly used.

• Phase 1: Initial Mobile Office Era — Wireless Networks as a Supplement to Wired Networks ▫ WaveLAN technology is considered as the prototype of enterprise WLAN. Early Wi-Fi technologies were mainly applied to IoT devices such as wireless cash registers. However, with the release of 802.11a/b/g standards, wireless connections have become increasingly advantageous. Enterprises and consumers are beginning to realize the potential of Wi-Fi technologies, and wireless hotspots are found to be deployed in cafeterias, airports, and hotels. ▫ The name Wi-Fi was also created during this period. It is the trademark of the Wi-Fi Alliance. The original goal of the alliance was to promote the formulation of the 802.11b standard as well as the compatibility certification of Wi-Fi products worldwide. With the evolution of standards and the popularization of standard-compliant products, people tend to equate Wi-Fi with the 802.11 standard. ▫ The 802.11 standard is one of many WLAN technologies, and yet it has become a mainstream standard in the industry. When a WLAN is mentioned, it usually is a WLAN using the Wi-Fi technology. ▫ The first phase of WLAN application eliminated the limitation of wired access, with the goal to enable devices to move around freely within a ceR1in range. That is, WLAN extends wired networks with the utilization of wireless networks. In this phase, WLANs do not have specific requirements on security, capacity, and roaming capabilities. APs are still single access points used for wireless coverage in single-point networking. Generally, an AP using a single access point architecture is called a Fat AP.

• When the IEEE 802.11ax standard is released, the Wi-Fi Alliance renames the new WiFi specification to Wi-Fi 6, the mainstream IEEE 802.11ac to Wi-Fi 5, and IEEE 802.11n to Wi-Fi 4. The same naming convention applies to other generations.

• A WLAN involves both wired and wireless sides. On the wired side, APs connect to the Internet using Ethernet. On the wireless side, STAs communicate with APs using 802.11 standards. • The wireless side uses the centralized architecture. The original Fat AP architecture evolves to the AC + Fit AP architecture. ▫ Fat AP architecture ▪ This architecture is also called autonomous network architecture because it does not require a dedicated device for centralized control. It can implement functions such as connecting wireless users, encrypting service data, and forwarding service data packets. ▪ Applicable scope: home ▪ Characteristics: A Fat AP works independently and is configured separately. It provides only simple functions and is cost-effective. ▪ Disadvantages: The increase in the WLAN coverage area and the number of access users requires more and more Fat APs. No unified control device is available for these independently working Fat APs. Therefore, it is difficult to manage and maintain the Fat APs.

• Enterprise WLAN products: • AP ▫ The AP can switch flexibly among the Fat, Fit, and cloud modes based on the network plan. ▫ Fat AP: applies to home WLANs. A Fat AP works independently and requires separate configurations. It provides only simple functions and is cost-effective. The Fat AP independently implements functions such as user access, authentication, data security, service forwarding, and QoS. ▫ Fit AP: applies to medium- and large-sized enterprises. Fit APs are managed and configured by the AC in a unified manner, provide various functions, and have high requirements on network maintenance personnel's skills. Fit APs must work with an AC for user access, AP going-online, authentication, routing, AP management, security, and QoS. ▫ Cloud AP: applies to small- and medium-sized enterprises. Cloud APs are managed and configured by a cloud management platform in a unified manner, provide various functions, support plug-and-play, and have low requirements on network maintenance personnel's skills. • AC ▫ An AC is usually deployed at the aggregation layer of a network to provide highspeed, secure, and reliable WLAN services. ▫ Huawei ACs provide a large capacity and high performance. They are highly reliable, easy to install and maintain, and feature such advantages as flexible networking and energy conservation.

• PoE can be used to effectively provide centralized power for terminals such as IP phones, APs, poR1ble device chargers, POS machines, cameras, and data collection devices. With PoE, terminals are provided with power when they access the network. Therefore, indoor cabling of power supply is not required.

• AP-AC networking: The Layer 2 or Layer 3 networking can be used between the AC and APs. In the Layer 2 networking, APs can go online in plug-and-play mode through Layer 2 broadcast or DHCP. In the Layer 3 networking, APs cannot directly discover an AC. We need to deploy DHCP or DNS, or manually specify the AC's IP address. • In the actual networking, an AC may connect to dozens or even hundreds of APs, which is complex. For example, on an enterprise network, APs can be deployed in offices, meeting rooms, and guest rooms, and the AC can be deployed in the equipment room. This constructs a complex Layer 3 network between the AC and APs. Therefore, the Layer 3 networking is often used on large-scale networks.

• AC connection mode: In in-path mode, the AC is deployed on the traffic forwarding path, and user traffic passes through the AC. This consumes the AC's forwarding capability. In off-path mode, traffic does not pass through the AC. • In-path networking:

▫ In the in-path networking, the AC must be powerful in throughput and processing capabilities, or the AC becomes the bandwidth bottleneck. ▫ This networking has a clear architecture and is easy to deploy. • Off-path networking:

▫ Most wireless networks are deployed after wired networks are constructed and are not planned in early stage of network construction. The off-path networking makes it easy to expand the wireless network. Customers only need to connect an AC to a network device, for example, an aggregation switch, to manage APs. Therefore, the off-path networking is used more often. ▫ In the off-path networking, the AC only manages APs, and management flows are encapsulated and transmitted in CAPWAP tunnels. Data flows can be forwarded to the AC over CAPWAP tunnels, or forwarded to the uplink network by the aggregation switch and do not pass through the AC.

• To meet the requirements of large-scale networking and unified management of APs on the network, the Internet Engineering Task Force (IETF) sets up a CAPWAP Working Group and formulates the CAPWAP protocol. This protocol defines how an AC manages and configures APs. That is, CAPWAP tunnels are established between the AC and APs, through which the AC manages and controls the APs. • CAPWAP is an application-layer protocol based on UDP transmission. ▫ CAPWAP functions in the transmission of two types of messages: ▪ Data messages, which encapsulate wireless data frames through the CAPWAP data tunnel. ▪ Control messages, which are exchanged for AP management through the CAPWAP control tunnel. ▫ CAPWAP data and control packets are transmitted on different UDP ports:

▪ UDP port 5246 for transmitting control packets ▪ UDP port 5247 for transmitting data packets

• Source coding is a process of converting raw information into digital signals by using a coding scheme. • Channel coding is a technology for correcting and detecting information errors to improve channel transmission reliability. With wireless transmission that is prone to noise interference, information arriving at the receive device may be erroneous. Channel coding is introduced to restore information to the maximum extent on the receive device, thereby reducing the bit error rate. • Modulation is a process of superimposing digital signals on high-frequency signals generated by high-frequency oscillation circuits so that the digital signals be converted into radio waves over antennas and then transmitted. • A channel transmits information, and a radio channel is a radio wave in space. • The air interface is used by radio channels. The transmit device and receive device are connected through the air interfaces and channels. The air interfaces in wireless communication are invisible and connected over the air.

• ELF (3 Hz to 30 Hz): Used for submarine communication or directly converted into sound • SLF (30 Hz to 300 Hz): Directly converted into sound or used for AC transmission system (50–60 Hz)

• ULF (300 Hz to 3 kHz): Used for communications in mining farms or directly converted into sound • VLF (3 kHz to 30 kHz): Directly converted into sound and ultrasound or used for geophysics

• LF (30 kHz to 300 kHz): Used for international broadcasting • IF (300 kHz to 3 MHz): Used for amplitude modulation (AM) broadcasting, maritime communications, and aeronautical communications • HF (3 MHz to 30 MHz): Used for short-wave and civil radios

• VHF (30 MHz to 300 MHz): Used for frequency modulation (FM) broadcasting, television broadcasting, and aeronautical communications • UHF (300 MHz to 3 GHz): Used for television broadcasting, radio telephone communications, wireless network, and microwave oven

• SHF (3 GHz to 30 GHz): Used for wireless network, radar, and artificial satellite • EHF (30 GHz to 300 GHz): Used for radio astronomy, remote sensing, and millimeter wave scanner • Higher than 300 GHz: Infrared, visible light, ultraviolet light, and ray

• On a WLAN, the operating status of APs is affected by the radio environment. For example, a high-power AP can interfere with adjacent APs if they work on overlapping channels. • In this case, the radio calibration function can be deployed to dynamically adjust channels and power of APs managed by the same AC to ensure that the APs work at the optimal performance.

• BSS: ▫ A BSS, the basic service unit of a WLAN, consists of an AP and multiple STAs. The BSS is the basic structure of an 802.11 network. Wireless media can be shared, and therefore packets sent and received in a BSS must carry the BSSID (AP's MAC address). • BSSID: ▫ AP's MAC address on the data link layer. ▫ STAs can discover and find an AP based on the BSSID.

▫ Each BSS must have a unique BSSID. Therefore, the AP's MAC address is used to ensure the uniqueness of the BSSID. • SSID: ▫ A unique identifier that identifies a wireless network. When you search for available wireless networks on your laptop, SSIDs are displayed to identify the available wireless networks. ▫ If multiple BSSs are deployed in a space, the STA may discover not only one BSSID. You only need to select a BSSID as required. For easier AP identification, a string of characters is configured as the AP name. This character string is the SSID.

• VAP: ▫ A VAP is a functional entity virtualized on a physical AP. You can create different VAPs on an AP to provide the wireless access service for different user groups. • The use of VAPs simplifies WLAN deployment, but it does not mean that we need to configure as many as VAPs. VAPs must be planned based on actual requirements. Simply increasing the number of VAPs will increase the time for STAs to find SSIDs and make AP configuration more complex. Additionally, a VAP is not equivalent to a real AP. All VAPs virtualized from a physical AP share software and hardware resources of the AP, and all users associated with these VAPs share same channel resources. The capacity of an AP will not change or multiply with the increasing number of VAPs.

• ESS: ▫ A large-scale virtual BSS consisting of multiple BSSs with the same SSID. ▫ A STA can move and roam within an ESS and considers that it is within the same WLAN regardless of its location. • WLAN roaming: ▫ WLAN roaming allows STAs to move within the coverage areas of APs belonging to the same ESS with nonstop service transmission. ▫ The most obvious advantage of the WLAN is that a STA can move within a WLAN without physical media restrictions. WLAN roaming allows the STA to move within a WLAN without service interruption. Multiple APs are located within an ESS. When a STA moves from an AP to another, WLAN roaming ensures seamless transition of STA services between APs.

• The Fat AP architecture is also called autonomous network architecture because it does not require a dedicated device for centralized control and can implement functions such as wireless user access, service data encryption, and service data packet forwarding. • A Fat AP is independent and requires no additional centralized control device. Therefore, Fat APs are easy to deploy and cost-effective. These advantages make the Fat AP architecture most suitable for home WLANs. However, in an enterprise, independent autonomy of Fat APs becomes a disadvantage. • The increase in the WLAN coverage area and the number of access users requires more and more Fat APs. No unified control device is available for these independently working Fat APs. Therefore, it is difficult to manage and maintain the Fat APs. For example, to upgrade the software version of APs, we must upgrade each Fat AP separately, which is time-consuming and labor-intensive. The Fat AP architecture cannot meet the roaming requirements of STAs in a larger coverage area. Additionally, the Fat AP architecture cannot support complex services, such as priority policy control based on different data types of network users. • Therefore, the Fat AP architecture is not recommended for enterprises. Instead, the AC + Fit AP, cloud management, and leader AP architectures are more suitable.

• The AC and Fit APs communicate through CAPWAP. With CAPWAP, APs automatically discover the AC, the AC authenticates the APs, and the APs obtain the software package and the initial and dynamic configurations from the AC. CAPWAP tunnels are established between the AC and APs. CAPWAP tunnels include control and data tunnels. The control tunnel is used to transmit control packets (also called management packets, which are used by the AC to manage and control APs). The data tunnel is used to transmit data packets. The CAPWAP tunnels allow for Datagram Transport Layer Security (DTLS) encryption, so that transmitted packets are more secure. • Compared with the Fat AP architecture, the AC + Fit AP architecture has the following advantages: ▫ Easier configuration and deployment: The AC centrally configures and manages the wireless network so that you do not need to configure each AP separately. In addition, the channels and power of APs on the entire network are automatically adjusted, eliminating the need for manual adjustment.

• Disadvantages of traditional network solutions: ▫ Traditional network solutions have many network deployment problems, such as high deployment costs and O&M difficulties. These problems are obvious in enterprises with many branches or geographically dispersed branches.

• Cloud management architecture: ▫ The cloud management architecture can solve the problems faced by traditional network solutions. The cloud management platform can manage and maintain devices in a centralized manner at any place, greatly reducing network deployment and O&M costs. ▫ After a cloud AP is deployed, the network administrator does not need to go to the site for cloud AP software commissioning. After power-on, the cloud AP automatically connects to the specified cloud management platform to load system files such as the configuration file, software package, and patch file. In this manner, the cloud AP can go online with zero touch configuration. The network administrator can deliver configurations to the cloud APs through the cloud management platform at anytime and anywhere, facilitating batch service configurations.

• In the AC + Fit AP networking architecture, the AC manages APs in a unified manner. Therefore, all configurations are performed on the AC.

• CAPWAP tunnels provide the following functions: ▫ Maintains the running status of the AC and APs. ▫ Allows the AC to manage APs and deliver configurations to APs. ▫ Transmits service data to the AC for centralized forwarding. • AC discovery phase: ▫ Static: An AC IP address list is preconfigured on the APs. When an AP goes online, the AP unicasts a Discovery Request packet to each AC whose IP address is specified in the preconfigured AC IP address list. After receiving the Discovery Request packet, the ACs send Discovery Response packets to the AP. The AP then selects an AC to establish a CAPWAP tunnel according to the received Discovery Request packets. ▫ Dynamic: DHCP, DNS, and broadcast. This course describes DHCP and broadcast modes.

• DHCP mode: ▫ Obtain the AC IP address through a four-way DHCP handshake process. ▪ When no AC IP address list is preconfigured, the AP starts the dynamic AC auto-discovery process. The AP obtains an IP address through DHCP and the AC address list through the Option field in the DHCP packets. (The DHCP server is configured to carry Option 43 in the DHCP Offer packet, and Option 43 contains the AC IP address list.) ▪ First, the AP sends a DHCP Discover packet to the DHCP server in broadcast mode. When receiving the DHCP Discover packet, the DHCP server encapsulates the first free IP address and other TCP/IP configuration in a DHCP Offer packet containing the lease duration, and sends the packet to the AP. ▪ A DHCP Offer packet can be a unicast or broadcast packet. When the AP receives DHCP Offer packets from multiple DHCP servers, it selects only one DHCP Offer packet (usually the first DHCP Offer packet) and broadcasts a DHCP Request packet to all DHCP servers. Then, the AP sends a DHCP Request packet to the specified server from which will allocate an IP address. ▪ When the DHCP server receives the DHCP Request packet, it responds with a DHCP Ack packet, which contains the IP address for the AP, lease duration, gateway information, and DNS server IP address. By now, the lease contract takes effect and the DHCP four-way handshake is completed.

• After receiving the Join Request packet from an AP, an AC authenticates the AP. If authentication is successful, the AC adds the AP. • The AC supports the following AP authentication modes: ▫ MAC address authentication ▫ SN authentication ▫ Non-authentication • APs can be added to an AC in the following ways: ▫ Manual configuration: Specify the MAC addresses and SNs of APs in offline mode on the AC in advance. When APs are connected the AC, the AC finds that their MAC addresses and SNs match the preconfigured ones and establish connections with them. ▫ Automatic discovery: If the AP authentication mode is set to non-authentication, or the AP authentication mode is set to MAC or SN authentication and the AP is whitelisted, the AC automatically discovers connected APs and establish connections with them. ▫ Manual confirmation: If the AP authentication mode is set to MAC or SN authentication and the AP is not imported offline or whitelisted, the AC adds the AP to the list of unauthorized APs. You can manually confirm the identity of such an AP to bring it online.

• APs can be upgraded on an AC in the following modes: ▫ Automatic upgrade: mainly used when APs have not gone online on an AC. In this mode, we need to configure the automatic upgrade parameters for APs to go online before configuring AP access. Then the APs are automatically upgraded when they go online. An online AP will be automatically upgraded after the automatic upgrade parameters are configured and the AP is restarted in any mode. Compared with the automatic upgrade mode, the in-service upgrade mode reduces the service interruption time. ▪ AC mode: applies when a small number of APs are deployed. APs download the upgrade file from the AC during the upgrade. ▪ FTP mode: applies to file transfer without high network security requirements. APs download the upgrade file from an FTP server during the upgrade. In this mode, data is transmitted in clear text, which brings security risks. ▪ SFTP mode: applies to scenarios that require high network security and provides strict encryption and integrity protection for data transmission. APs download the upgrade file from an SFTP server during an upgrade. ▫ In-service upgrade: mainly used when APs are already online on the AC and carry WLAN services. ▫ Scheduled upgrade: mainly used when APs are already online on the AC and carry WLAN services. The scheduled upgrade is usually performed during offpeak hours.

• Data tunnel maintenance: ▫ The AP and AC exchange Keepalive packets (through the UDP port 5247) to detect the data tunnel connectivity. • Control tunnel maintenance: ▫ The AP and AC exchange Echo packets (through the UDP port 5246) to detect the control tunnel connectivity.

• Regulatory domain profile: ▫ A regulatory domain profile provides configurations of the country code, calibration channel, and calibration bandwidth for an AP. ▫ A country code identifies the country in which the APs are deployed. Country codes regulate different AP radio attributes, including the transmit power and supported channels. Correct country code configuration ensures that radio attributes of APs comply with local laws and regulations. • Configure a source interface or address on the AC.

▫ Specify a unique IP address, VLANIF interface, or Loopback interface on an AC. In this manner, APs connected to the AC can learn the specified IP address or the IP address of the specified interface to establish CAPWAP tunnels with the AC. This specified IP address or interface is called the source address or interface. ▫ Only after the unique source interface or address is specified on an AC, can APs establish CAPWAP tunnels with the AC. ▫ A VLANIF or Loopback interface can be used as the source interface, and their IP addresses can be configured as the source address. • Add APs: Configure the AP authentication mode and enable APs to go online. ▫ You can add APs by importing them in offline mode, automatic discovery, and manual confirmation.

• After an AP goes online, it sends a Configuration Status Request containing its running configuration to the AC. The AC then compares the AP's running configuration with the local AP configuration. If they are inconsistent, the AC sends a Configuration Status Response message to the AP. • Note: After an AP goes online, it obtains the existing configuration from the AC. The AC then manages the AP and delivers service configurations to the AP.

• Configure basic radio parameters: ▫ Configure different radio parameters for AP radios based on actual WLAN environments, so that the AP radios can work at the optimal performance. ▪ If working channels of adjacent APs have overlapping frequencies, signal interference occurs and affects AP working status. To prevent signal interference and enable APs to work at the optimal performance with higher WLAN quality, configure any two adjacent APs to work on nonoverlapping channels. ▪ Configure the transmit power and antenna gain for radios according to actual network environments so that the radios provide sufficient signal strength, improving signal quality of WLANs. ▪ In actual application scenarios, two APs may be connected over dozens of meters to dozens of kilometers. Due to different AP distances, the time to wait for ACK packets from the peer AP varies. A proper timeout value can improve data transmission efficiency between APs. ▫ Basic radio parameters can be configured on AP group radios and AP radios. The configuration in the AP group radio view takes effect on all AP radios in an AP group; the configuration in the AP radio view takes effect only on a specified AP radio the configuration in the AP group radio view. • Radio profile ▫ You can adjust and optimize radio parameters to adapt to different network environments, enabling APs to provide required radio capabilities and improving signal quality of WLANs. After parameters in a radio profile are delivered to an AP, only the parameters supported by the AP can take effect. ▫ Parameters that can be configured include the radio type, radio rate, multicast rate of radio packets, and interval at which an AP sends Beacon frames.

• Data forwarding mode: ▫ Control packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode. The data forwarding modes will be detailed later in the course. • Service VLAN: ▫ Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the office entrance or stadium entrance, and then roam to different APs. ▪ If a single VLAN is configured as the service VLAN, IP address resources may become insufficient in areas where many STAs access the WLAN, and IP addresses in the other areas are wasted. ▪ After a VLAN pool is created, add multiple VLANs to the VLAN pool and configure the VLANs as service VLANs. In this way, an SSID can use multiple service VLANs to provide wireless access services. Newly connected STAs are dynamically assigned to VLANs in the VLAN pool, which reduces the number of STAs in each VLAN and also the size of the broadcast domain. Additionally, IP addresses are evenly allocated, preventing IP address waste.

• Active scanning: ▫ Probes containing an SSID: applies when a STA actively scans wireless networks to access a specified wireless network. ▫ Probes that do not contain an SSID: applies when a STA actively scans wireless networks to determine whether wireless services are available. • Passive scanning: ▫ STAs can passively scan wireless networks. ▫ In passive scanning mode, a STA listens to Beacon frames (containing the SSID and supported rate) periodically sent by an AP to discover surrounding wireless networks. By default, an AP sends Beacon frames at an interval of 100 TUs (1 TU = 1024 us).

• A WLAN needs to ensure validity and security of STA access. To achieve this, STAs need to be authenticated before accessing the WLAN. This process is known as link authentication, which is usually considered the beginning of STA access. • Shared key authentication:

▫ The same shared key is configured for STAs and APs in advance. The AP checks whether the STA has the same shared key during link authentication. If so, the STA is successfully authenticated. Otherwise, STA authentication fails. ▫ Authentication process:

1. The STA sends an Authentication Request packet to the AP. 2. The AP generates a challenge and sends it to the STA. 3. The STA uses the preconfigured key to encrypt the challenge and sends the encrypted challenge to the AP.

4. The AP uses the preconfigured key to decrypt the encrypted challenge and compares the decrypted challenge with the challenge sent to the STA. If the two challenges are the same, the STA is successfully authenticated. Otherwise, STA authentication fails.

• STA association in the Fit AP architecture consists of the following steps: 1. The STA sends an Association Request packet to the AP. The Association Request packet carries the STA's parameters and the parameters selected by the STA according to the service configuration, including the transmission rate, channel, and QoS capabilities. 2. After receiving the Association Request packet, the AP encapsulates the packet into a CAPWAP packet and sends the CAPWAP packet to the AC. 3. The AC determines whether to permit the STA access according to the received Association Request packet and replies with a CAPWAP packet containing an Association Response. 4. The AP decapsulates the CAPWAP packet to obtain the Association Response, and sends the Association Response to the STA.

• Data encryption: ▫ In addition to user access authentication, data packets need to be encrypted to ensure data security, which is also implemented in the access authentication phase. After a data packet is encrypted, only the device that holds the key can decrypt the packet. Other devices cannot decrypt the packet even if they receive the packet because they do not have the corresponding key.

• Three WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2. Each security policy has a series of security mechanisms, including link authentication used to establish a wireless link, user authentication used when users attempt to connect to a wireless network, and data encryption used during data transmission. • WEP ▫ WEP, defined in IEEE 802.11, is used to protect data of authorized users from being intercepted during transmission on a WLAN. WEP uses the RC4 algorithm to encrypt data through a 64-bit, 128-bit, or 152-bit key. Each encryption key contains a 24-bit initialization vector (IV) generated by the system. Therefore, the length of the key configured on the WLAN server and client is 40 bits, 104 bits, or 128 bits. WEP uses a static encryption key. All STAs associating with the same SSID use the same key to connect to the WLAN.

• With the application and development of enterprise networks, threats increasingly bring risks, such as viruses, Trojan horses, spyware, and malicious network attacks. On a traditional enterprise network, the intranet is considered secure and threats come from the extranet. However, research shows that 80% of cyber security vulnerabilities come from inside the network. The network security threats and viruses affect the network seriously, leading to system or network crashes. In addition, when intranet users browse websites on the external network, the spyware and Trojan horse software may be automatically installed on users' computers, which cannot be sensed by the users. The malicious software may spread on the intranet. • Therefore, as security challenges keep escalating, traditional security measures are far from enough. The security model needs to be changed from the passive mode to active mode. Thoroughly solving network security problems from the root (terminal) can improve the information security level of the entire enterprise.

• Tunnel forwarding mode: ▫ Advantages: An AC forwards all data packets, ensuring security and facilitating centralized management and control. ▫ Disadvantages: Service data must be forwarded by an AC, which is inefficient and increases the load on the AC. • Direct forwarding mode: ▫ Advantages: Service data packets do not need to be forwarded by an AC, improving packet forwarding efficiency and reducing the burden on the AC.

▫ Disadvantages: Service data is difficult to manage and control in a centralized manner.

• Command: option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | cipher cipher-string | ip-address ip-address } ▫ code: specifies the code of a user-defined option. The value is an integer that ranges from 1 to 254, except values 1, 3, 6, 15, 44, 46, 50, 51, 52, 53, 54, 55, 57, 58, 59, 61, 82, 121 and 184. ▫ sub-option sub-code: specifies the code of a user-defined sub-option. The value is an integer ranging from 1 to 254. For details about well-known options, see RFC 2132. ▫ ascii | hex | cipher: specifies the user-defined option code as an ASCII character string, hexadecimal character string, or ciphertext character string. ▫ ip-address ip-address: specifies the user-defined option code as an IP address. • Command: regulatory-domain-profile name profile-name

▫ name profile-name: specifies the name of a regulatory domain profile. The value is a string of 1 to 35 case-insensitive characters. It cannot contain question marks (?) or spaces, and cannot start or end with double quotation marks (").

• Command: ap-group name group-name ▫ name group-name: specifies the name of an AP group. The value is a string of 1 to 35 characters. It cannot contain question marks (?), slashes (/), or spaces, and cannot start or end with double quotation marks (").

• Command: ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | apsn ap-sn | ap-mac ap-mac ap-sn ap-sn } ] ▫ ap-id: specifies the ID of an AP. The value is an integer that ranges from 0 to 8191.

▫ type-id: specifies the ID of an AP type. The value is an integer that ranges from 0 to 255. ▫ ap-type: specifies the type of an AP. The value is a string of 1 to 31 characters. ▫ ap-mac: specifies the MAC address of an AP. The value is in H-H-H format. An H is a 4-digit hexadecimal number. ▫ ap-sn: specifies the SN of an AP. The value is a string of 1 to 31 characters, and can contain only letters and digits.

• Command: radio radio-id ▫ radio-id: specifies the ID of a radio. The radio ID must exist. • Commands: ▫ channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel ▫ channel 80+80mhz channel1 channel2 ▫ 20mhz: sets the working bandwidth of a radio to 20 MHz. ▫ 40mhz-minus: sets the working bandwidth of a radio to 40 MHz Minus.

▫ 40mhz-plus: sets the working bandwidth of a radio to 40 MHz Plus. ▫ 80mhz: sets the working bandwidth of a radio to 80 MHz. ▫ 160mhz: sets the working bandwidth of a radio to 160 MHz. ▫ 80+80mhz: sets the working bandwidth of a radio to 80+80 MHz. ▫ channel/channel1/channel2: specifies the working channel for a radio. The channel is selected based on the country code and radio mode. The parameter is an enumeration value. The value range is determined according to the country code and radio mode.

• Command: antenna-gain antenna-gain ▫ antenna-gain: specifies the antenna gain. The value is an integer that ranges from 0 to 30, in dB.

• Command: eirp eirp ▫ eirp: specifies the transmit power. The value is an integer that ranges from 1 to 127, in dBm. • Command: coverage distance distance ▫ distance: specifies the radio coverage distance. Each distance corresponds to a group of slottime, acktimeout, and ctstimeout values. You can configure the radio coverage distance based on the AP distance, so that APs adjust the values of slottime, acktimeout, and ctstimeout values accordingly. The value is an integer that ranges from 1 to 400, in 100 meters. • Command: frequency { 2.4g | 5g } ▫ By default, radio 0 works on the 2.4 GHz frequency band, and radio 2 works on the 5 GHz frequency band.

• Command: radio-2g-profile name profile-name ▫ name profile-name: specifies the name of a 2G radio profile. The value is a string of 1 to 35 case-insensitive characters. It cannot contain question marks (?) or spaces, and cannot start or end with double quotation marks (").

▫ By default, the system provides the 2G radio profile default. • Command: radio-2g-profile profile-name radio { radio-id | all } ▫ profile-name: specifies the name of a 2G radio profile. The 2G radio profile must exist.

▫ radio radio-id: specifies the ID of a radio. The value is an integer that can be 0 or 2. ▫ radio all: specifies all radios.

• Command: ssid ssid ▫ ssid: specifies an SSID. The value is a string of 1 to 32 case-sensitive characters. It supports Chinese characters or Chinese + English characters, without tab characters.

▫ To start an SSID with a space, you need to encompass the SSID with double quotation marks ("), for example, " hello". The double quotation marks occupy two characters. To start an SSID with a double quotation mark, you need to add a backslash (\) before the double quotation mark, for example, \"hello. The backslash occupies one character.

• Command: display vap { ap-group ap-group-name | { ap-name ap-name | ap-id apid } [ radio radio-id ] } [ ssid ssid ] ▫ ap-group-name: displays information about all service VAPs in a specified AP group. The AP group must exist.

▫ ap-name: displays information about service VAPs on the AP with a specified name. The AP name must exist. ▫ ap-id: displays information about service VAPs on the AP with a specified ID. The AP ID must exist.

▫ radio-id: Displays information about service VAPs of a specified radio. The value is an integer that ranges from 0 to 2. ▫ ssid: Displays information about service VAPs of a specified SSID. The SSID must exist.

• Command: display vap { all | ssid ssid } ▫ all: displays information about all service VAPs.

• Service requirements ▫ An enterprise wants to enable users to access the Internet through a WLAN, meeting the basic mobile office requirements. • Networking requirements

▫ AC networking mode: Layer 2 networking in off-path mode ▫ DHCP deployment mode: ▪ The AC functions as a DHCP server to assign IP addresses to APs. ▪ The aggregation switch S2 functions as a DHCP server to assign IP addresses to STAs. ▫ Service data forwarding mode: tunnel forwarding • Configuration roadmap ▫ Configure network connectivity between the AC, APs, and other network devices.

▫ Configure the APs to go online. ▪ Create an AP group and add APs that require the same configuration to the group for unified configuration. ▪ Configure AC system parameters, including the country code and source interface used by the AC to communicate with the APs. ▪ Configure the AP authentication mode and imports the APs in offline mode for them to go online. ▫ Configure WLAN service parameters for STAs to access the WLAN.

• 1. Create VLANs and interfaces on S1, S2, and AC. ▫ S1 configuration: [S1] vlan batch 100 [S1] interface gigabitethernet 0/0/1 [S1-GigabitEthernet0/0/1] port link-type trunk [S1-GigabitEthernet0/0/1] port trunk pvid vlan 100 [S1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

[S1-GigabitEthernet0/0/1] quit [S1] interface gigabitethernet 0/0/2 [S1-GigabitEthernet0/0/2] port link-type trunk [S1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [S1-GigabitEthernet0/0/2] quit

• Import an AP in offline mode on the AC. ▫ Add the AP to the AP group ap-group1. Assume that an AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in area 1.

• Description of the display ap command output: ▫ ID: AP ID. ▫ MAC: AP MAC address. ▫ Name: AP name.

▫ Group: Name of the AP group to which an AP belongs. ▫ IP: IP address of an AP. In NAT scenarios, APs are on the private network and the AC on the public network. This value is an AP's private IP address. To check the public IP address of an AP, run the display ap run-info command. ▫ Type: AP type.

▫ State: AP state. ▪ normal: An AP has gone online on an AC and is working properly. ▪ commit-failed: WLAN service configurations fail to be delivered to an AP after it goes online on an AC. ▪ download: An AP is in upgrade state. ▪ fault: An AP fails to go online. ▪ idle: It is the initialization state of an AP before it establishes a link with the AC for the first time. ▫ STA: Number of STAs connected to an AP.

▫ Uptime: Online duration of an AP. ▫ ExtraInfo: Extra information. The value P indicates an AP has no sufficient power supply.

• Description of the display vap command output: ▫ AP ID: AP ID. ▫ AP name: AP name. ▫ RfID: Radio ID. ▫ WID: VAP ID. ▫ SSID: SSID name. ▫ BSSID: MAC address of a VAP.

▫ Status: Current status of a VAP. ▪ ON: The VAP service is enabled. ▪ OFF: The VAP service is disabled. ▫ Auth type: VAP authentication mode. ▫ STA: Number of STAs connected to a VAP.

• Wi-Fi 5 cannot meet the low service latency and high bandwidth requirements of 4K/8K video conferencing scenarios. • Powered by Huawei SmartRadio intelligent application acceleration, Wi-Fi 6 achieves a latency of as low as 10 ms.

• Currently, the theoretical rate of all Wi-Fi 5 products (Wave 2) is 2.5 Gbit/s, and that of Wi-Fi 6 products is 9.6 Gbit/s. Therefore, Wi-Fi 6 increases the rate by four folds compared with Wi-Fi 5. • Wi-Fi 6 increases the number of concurrent users by four folds compared with Wi-Fi 5. In the actual test, at a per user bandwidth of 2 Mbit/s, the concurrent number of users supported by Wi-Fi 5 is 100, and that supported by Wi-Fi 6 is 400. • The average latency supported by Wi-Fi 6 is about 20 ms (about 30 ms in Wi-Fi 5). Huawei SmartRadio intelligent application acceleration technology further reduces the service latency to as low as 10 ms. • TWT is not supported by Wi-Fi 5.

• UHD is short for ultra high definition.

1. Answer: ▫ In-path networking advantages: Direct forwarding is often used on an in-path network. This networking mode simplifies the network architecture and applies to large-scale centralized WLANs.

▫ Off-path networking advantages: The off-path networking mode is commonly used. Wireless user service data does not need to be processed by an AC, eliminating the bandwidth bottleneck and facilitating the usage of existing security policies. Therefore, this networking mode is recommended. 2. ABD

• The main differences between a WAN and a LAN are as follows: ▫ A LAN provides high bandwidth but supports only a short transmission distance, which cannot meet the long-distance transmission requirements of a WAN. ▫ LAN devices are usually switches, whereas WAN devices are mostly routers. ▫ A LAN belongs to an institute or organization, whereas most WAN services are provided by ISPs. ▫ WANs and LANs usually use different protocols or technologies only at the physical layer and data link layer. They do not have notable differences in the other layers. ▫ The private networks of banks, governments, military, and large companies are also WANs and physically isolated from the Internet. ▫ The Internet is only a type of WAN. Small enterprises use the Internet as the WAN connection.

• At the early stage, the common physical layer standards of WANs include common interface standards EIA/TIA-232 (RS-232) formulated by the Electronic Industries Alliance (EIA), and Telecommunications Industry Association (TIA), serial line interface standards V.24 and V.35 formulated by the International Telecommunication Union (ITU), and the G.703 standards related to the physical and electrical features of various digital interfaces. • The common data link layer standards of WANs include High-Level Data Link Control (HDLC), PPP, FR, and ATM. ▫ HDLC is a universal protocol running at the data link layer. Data packets are encapsulated into HDLC frames with the header and tail overheads added. The HDLC frames can be transmitted only on P2P synchronous links and do not support IP address negotiation and authentication. HDLC seeks high reliability by introducing a high overhead, leading to low transmission efficiency. ▫ PPP runs at the data link layer for P2P data transmission over full-duplex synchronous and asynchronous links. PPP is widely used because it provides user authentication, supports synchronous and asynchronous communication, and is easy to extend. ▫ FR is an industry-standard and switched data link protocol. It uses the error-free

check mechanism to speed up data forwarding. ▫ ATM is a connection-oriented switching technology based on circuit switching and packet switching. It uses 53-byte ATM cells to transmit information.

• A PPP link can be set up after going through the link establishment, authentication, and network layer negotiation phases. The details are as follows: 1. Two communicating devices enter the Establish phase when starting to set up a PPP connection. 2. In the Establish phase, they perform LCP negotiation to negotiate an MRU, authentication mode, magic number, and other options. If the negotiation is successful, the devices enter the Opened state, indicating that the lower-layer link has been established. 3. If authentication is configured, the devices enter the Authenticate phase. Otherwise, the devices directly enter the Network phase.

4. In the Authenticate phase, link authentication is performed based on the authentication mode negotiated in the link establishment phase. Two authentication modes are available: PAP and CHAP. If the authentication succeeds, the devices enter the Network phase. Otherwise, the devices enter the Terminate phase, tear down the link, and set the LCP status to Down. 5. In the Network phase, NCP negotiation is performed on the PPP link to select and configure a network layer protocol and to negotiate network layer parameters. The most common NCP protocol is IPCP, which is used to negotiate IP parameters. 6. In the Terminate phase, if all resources are released, the two communicating devices return to the Dead phase.

• During the PPP operation, the PPP connection can be terminated at any time. A physical link disconnection, authentication failure, timeout timer expiry, and connection close by administrators through configuration can all cause a PPP connection to enter the Terminate phase.

• PPP frame format: ▫ The Flag field identifies the start and end of a physical frame and is a binary sequence 01111110 (0X7E). ▫ The Address field in a PPP frame represents a broadcast address and has a fixed value of 11111111(0XFF). ▫ The Control field of a PPP data frame is 00000011 (0X03) by default, indicating that the frame is an unordered frame. ▫ The FCS field is a 16-bit checksum used to check the integrity of PPP frames.

▫ The Protocol field indicates the type of protocol packets encapsulated using PPP. 0XC021, 0XC023, and 0XC223 indicate LCP, PAP, and CHAP packets, respectively. ▫ The Information field specifies the content of a protocol specified by the Protocol field. The maximum length of this field is called the MRU. The default value is 1500 bytes. ▫ When the Protocol field is 0XC021, the Information field structure is as follows: ▪ The Identifier field is one byte and is used to match requests and responses. ▪ The Length field specifies the total number of bytes in the LCP packet. ▪ The Data field carries various TLV parameters for negotiating configuration options, including an MRU, authentication protocol, and the like.

• R1 and R2 are connected through a serial link and run the PPP protocol. After the physical link becomes available, R1 and R2 use LCP to negotiate link parameters. • In this example, R1 sends a Configure-Request packet that carries link layer parameters configured on R1. After receiving the Configure-Request packet, R2 returns a Configure-Ack packet to R1 if R2 can identify and accept all parameters in the packet. Similarly, R2 also sends a Configure-Request packet to R1, so that R1 checks whether the parameters on R2 are acceptable. • If R1 does not receive any Configure-Ack packet, it retransmits a Configure-Request packet every 3s. If R1 does not receive any Configure-Ack packet after sending 10 Configure-Request packets consecutively, it considers the peer end unavailable and stops sending Configure-Request packets.

• After R2 receives the Configure-Request packet from R1, if R2 can identify all link layer parameters carried in the packet but considers that some or all parameter values are unacceptable (parameter value negotiation fails), R2 returns a Configure-Nak packet to R1. • The Configure-Nak packet contains only unacceptable link layer parameters, with values (or value ranges) changed to those that can be accepted by R2. • After receiving the Configure-Nak packet, R1 re-selects other locally configured parameters according to the link layer parameters in the packet and resends a Configure-Request packet.

• After receiving a Configure-Request packet from R1, R2 returns a Configure-Reject packet to R1 if R2 cannot identify some or all link layer parameters carried in the packet. The Configure-Reject packet contains only the link layer parameters that cannot be identified. • After receiving the Configure-Reject packet, R1 resends a Configure-Request packet to R2. This packet contains only parameters that can be identified by R2.

• After LCP negotiation is complete, the authenticator requires the peer to use PAP for authentication. • PAP is a two-way handshake authentication protocol. The password is transmitted in clear text on the link. The process is as follows:

▫ The peer sends the configured username and password to the authenticator in clear text through an Authenticate-Request packet. ▫ After receiving the username and password from the peer, the authenticator checks whether the username and password match those in the locally configured database. If they match, the authenticator returns an AuthenticateAck packet, indicating that the authentication is successful. If they do not match, the authenticator returns an Authenticate-Nak packet, indicating that the authentication is unsuccessful.

• After LCP negotiation is complete, the authenticator requires the peer to use CHAP for authentication. • CHAP authentication requires three packet exchanges. The process is as follows: ▫ The authenticator initiates an authentication request and sends a Challenge packet to the peer. The Challenge packet contains a random number and an ID.

▫ After receiving the Challenge packet, the peer performs encryption calculation using the formula MD5{ID+random number+password}. The formula means that the authenticator combines the identifier, random number, and password into a character string and performs an MD5 operation on the character string to obtain a 16-byte digest. The peer then encapsulates the digest and the CHAP username configured on the interface into a Response packet and sends the Response packet to the authenticator. ▫ After receiving the Response packet, the authenticator locally searches for the password corresponding to the username in the Response packet. After obtaining the password, the authenticator encrypts the password using the same formula as that used by the peer. Then, the authenticator compares the digest obtained through encryption with that in the Response packet. If they are the same, the authentication succeeds. If they are different, the authentication fails. • In CHAP authentication, the password of the peer is encrypted before being transmitted, which greatly improves security. • Notices About Encryption Algorithms

▫ The MD5 (digital signature scenario and password encryption) encryption algorithm has security risks. You are advised to use more secure encryption algorithms, such as AES, RSA (2048 bits or above), SHA2, and HMAC-SHA2.

• NCP is used to establish and configure different network layer protocols and negotiate the format and type of data packets transmitted on a data link. IPCP is a commonly used NCP. • The static IP address negotiation process is as follows:

▫

Each end sends a Configure-Request packet carrying the locally configured IP address.

▫

After receiving the packet from the peer end, the local end checks the IP address in the packet. If the IP address is a valid unicast IP address and is different from the locally configured IP address (no IP address conflict), the local end considers that the peer end can use this address and responds with a Configure-Ack packet.

• The dynamic IP address negotiation process is as follows: ▫ R1 sends a Configure-Request packet to R2. The packet contains an IP address 0.0.0.0, indicating that R1 requests an IP address from R2. ▫ After receiving the Configure-Request packet, R2 considers the IP address 0.0.0.0 invalid and replies with a Configure-Nak packet carrying a new IP address 10.1.1.1. ▫ After receiving the Configure-Nak packet, R1 updates its local IP address and resends a Configure-Request packet carrying the new IP address 10.1.1.1.

▫ After receiving the Configure-Request packet, R2 considers the IP address contained in the packet valid and returns a Configure-Ack packet. ▫ R2 also sends a Configure-Request packet to R1 to request use of IP address 10.1.1.2. R1 considers the IP address valid and replies with a Configure-Ack packet.

• Carriers want to connect multiple hosts at a site to a remote access device, which can provide access control and accounting for these hosts in a manner similar to dial-up access. Ethernet is the most cost-effective technology among all access technologies that connect multiple hosts to an access device. PPP provides good access control and accounting functions. PPPoE therefore was introduced to transmit PPP packets on the Ethernet. • PPPoE uses Ethernet to connect a large number of hosts to the Internet through a remote access device and uses PPP to control each host. PPPoE applies to various scenarios, and provides high security as well as convenient accounting.

• PPPoE packets are encapsulated in Ethernet frames. The fields in an Ethernet frame are described as follows: • DMAC: indicates the MAC address of a destination device, which is usually an Ethernet unicast or broadcast address (0xFFFFFFFF).

• SMAC: indicates the MAC address of a source device. • Eth-Type: indicates the protocol type. The value 0x8863 indicates that PPPoE discovery packets are carried. The value 0x8864 indicates that PPPoE session packets are carried. • The fields in a PPPoE packet are described as follows:

▫ VER: indicates a PPPoE version. The value is 0x01. ▫ Type: indicates the PPPoE type. The value is 0x01. ▫ Code: indicates a PPPoE packet type. Different values indicate different PPPoE packet types. ▫ Session ID: indicates a PPPoE session ID. This field defines a PPPoE session, together with the Ethernet SMAC and DMAC fields. ▫ Length: indicates the length of a PPPoE packet.

1. The PPPoE client broadcasts a PADI packet that contains the required service information on the local Ethernet. ▫ The destination MAC address of the PADI packet is a broadcast address, the Code field is set to 0x09, and the Session ID field is set to 0x0000. ▫ After receiving the PADI packet, all PPPoE servers compare the requested services with the services that they can provide. 2. If a server can provide the requested service, it replies with a PADO packet. ▫ The destination address of the PADO packet is the MAC address of the client that sends the PADI packet. The Code field is set to 0x07 and the Session ID field is set to 0x0000.

3. The PPPoE client may receive multiple PADO packets. In this case, the PPPoE client selects the PPPoE server whose PADO packet is first received by the client and sends a PADR packet to the PPPoE server. ▫ The destination address of the PADR packet is the MAC address of the selected server, the Code field is set to 0x19, and the Session ID field is set to 0x0000.

4. After receiving the PADR packet, the PPPoE server generates a unique session ID to identify the session with the PPPoE client and sends a PADS packet. ▫ The destination address of the PADS packet is the MAC address of the PPPoE client, the Code field is set to 0x65, and the Session ID field is set to the uniquely generated session ID.

• After a PPPoE session is established, the PPPoE client and server enter the PPPoE session stage.

• In the PPPoE session stage, PPP negotiation and PPP packet transmission are performed. • PPP negotiation in the PPPoE session stage is the same as common PPP negotiation, which includes the LCP, authentication, and NCP negotiation phases.

▫ In the LCP phase, the PPPoE server and PPPoE client establish and configure a data link, and verify the data link status. ▫ After LCP negotiation succeeds, authentication starts. The authentication protocol type is determined by the LCP negotiation result.

▫ After authentication succeeds, PPP enters the NCP negotiation phase. NCP is a protocol suite used to configure different network layer protocols. A commonly used network-layer protocol is IPCP, which is responsible for configuring IP addresses for users and domain name servers (DNSs). • After PPP negotiation succeeds, PPP data packets can be forwarded over the established PPP link. The data packets transmitted in this phase must contain the session ID determined in the discovery stage, and the session ID must remain unchanged.

• In a PADT packet, the destination MAC address is a unicast address, and the session ID is the ID of the session to be closed. Once a PADT packet is received, the session is closed.

• The configuration of the PPPoE client includes three steps: • Step 1: Configure a dialer interface. ▫ The dialer-rule command displays the dialer rule view. In this view, you can configure the conditions for initiating a PPPoE session. ▫ The interface dialer number command creates a dialer interface and displays the dialer interface view. ▫ The dialer user user-name command configures a username for the peer end. This username must be the same as the PPP username on the peer server.

▫ The dialer-group group-number command adds an interface to a dialer group. ▫ The dialer bundle number command specifies a dialer bundle for the dialer interface. The device associates a physical interface with the dialer interface through the dialer bundle.

• Step 2: Bind the dialer bundle to a physical interface. ▫ The pppoe-client dial-bundle-number number command binds the dialer bundle to a physical interface and specifies the dialer bundle for the PPPoE session. number specifies the dialer bundle number corresponding to the PPPoE session. • Step 3: Configure a default static route. This route allows the traffic that does not match any entry in the routing table to initiate a PPPoE session through the dialer interface.

• PPPoE Server Configurations ▫ The interface virtual-template command creates a virtual template interface or displays the view of an existing virtual template interface. ▫ The pppoe-server bind command binds an interface to the virtual template interface for PPPoE access.

• The display interface dialer number command displays the configuration of the dialer interface. The command output helps locate faults on the dialer interface. • LCP opened, IPCP opened indicates that the link is working properly. • The display pppoe-client session summary command displays the PPPoE session status and statistics on the PPPoE client. ▫ ID indicates a PPPoE session ID. The values of the bundle ID and dialer ID are determined by the configured dialer parameters. ▫ Intf indicates the physical interface used for negotiation on the PPPoE client.

▫ State indicates the status of a PPPoE session, which can be: 1. IDLE: The current session is idle. 2. PADI: The current session is in the discovery stage, and a PADI packet has been sent. 3. PADR: The current session is in the discovery stage, and a PADR packet has been sent. 4. UP: The current session is set up successfully.

• SIDs are used to identify segments. The format of SIDs depends on the implementation of technologies. For example, SIDs can be MPLS labels, indexes in an MPLS label space, or IPv6 packet headers. SR using MPLS labels is called SR-MPLS and using IPv6 is called SRv6.

• After receiving a packet, the receive end parses the segment list. If the top SID in the segment list identifies the local node, the node removes the SID and proceeds with the follow-up procedures. If the top SID does not identify the local node, the node forwards the packet to a next node in equal cost multiple path (ECMP) mode.

• PCEP: Path Computation Element Communication Protocol • NETCONF: Network Configuration Protocol

1. ABDE 2. B 3. C

• Network management and O&M is classified as software management or hardware management. ▫ Software management: management of network applications, user accounts (such as accounts for using files), and read and write permissions. This course does not describe software management in detail. ▫ Hardware management: management of network elements (NEs) that constitute the network, including firewalls, switches, routers, and other devices. This course mainly describes hardware management. • Generally, an enterprise network has dedicated departments or personnel responsible for network management and O&M. • Note: ▫ A network element (NE) refers to a hardware device and software running on the hardware device. An NE has at least one main control board that manages and monitors the entire NE. The NE software runs on the main control board.

• Traditional network management: ▫ Web system: The built-in web server of the device provides a graphical user interface (GUI). You need to log in to the device to be managed from a terminal through Hypertext Transfer Protocol Secure (HTTPS).

▫ CLI mode: You can log in to a device through the console port, Telnet, or SSH to manage and maintain the device. This mode provides refined device management but requires that users be familiar with command lines. ▫ SNMP-based centralized management: The Simple Network Management Protocol (SNMP) provides a method for managing NEs (such as routers and switches) by using a central computer (that is, a network management station) that runs network management software. This mode provides centralized and unified management of devices on the entire network, greatly improving management efficiency.

• iMaster NCE-based network management: ▫ iMaster NCE is a network automation and intelligence platform that integrates management, control, analysis, and AI functions. It provides four key capabilities: full-lifecycle automation, intelligent closed-loop management based on big data and AI, scenario-specific app ecosystem enabled by open programmability, and all-cloud platform with ultra-large system capacity. ▫ iMaster NCE uses protocols such as Network Configuration Protocol (NETCONF) and RESTCONF to deliver configurations to devices and uses telemetry to monitor network traffic.

• As networks rapidly expand and applications become more diversified, network administrators face the following problems: ▫ The fast growth of network devices increases network administrators' workloads. In addition, networks' coverage areas are constantly being expanded, making real-time monitoring and fault locating of network devices difficult. ▫ There are various types of network devices and the management interfaces (such as command line interfaces) provided by different vendors vary from each other, making network management more complex.

• There are three SNMP versions: SNMPv1, SNMPv2c, and SNMPv3. ▫ In May 1990, RFC 1157 defined the first SNMP version: SNMPv1. RFC 1157 provides a systematic method for monitoring and managing networks. SNMPv1 implements community name-based authentication, failing to provide high security. In addition, only a few error codes are returned in SNMPv1 packets. ▫ In 1996, the Internet Engineering Task Force (IETF) released RFC 1901 in which SNMPv2c is defined. SNMPv2c provides enhancements to standard error codes, data types (Counter 64 and Counter 32), and operations including GetBulk and Inform. ▫ SNMPv2c still lacks security protection measures, so IETF released SNMPv3. SNMPv3 provides user security module (USM)-based encryption and authentication and a view-based access control model (VACM).

• An NMS is an independent device that runs network management programs. The network management programs provide at least one man-machine interface for network administrators to perform network management operations. Web page interaction is a common man-machine interaction mode. That is, a network administrator uses a terminal with a monitor to access the web page provided by the NMS through HTTP/HTTPS.

• MIB is defined independently of a network management protocol. Device vendors can integrate SNMP agent software into their products (for example, routers), but they must ensure that this software complies with relevant standards after new MIBs are defined. You can use the same network management software to manage routers containing MIBs of different versions. However, the network management software cannot manage a router that does not support the MIB function. • There are public MIBs and private MIBs. ▫ Public MIBs: defined by RFCs and used for structure design of public protocols and standardization of interfaces. Most vendors need to provide SNMP interfaces according to the specifications defined in RFCs. ▫ Private MIBs: They are the supplement of the public MIBs. Some enterprises need to develop private protocols or special functions. The private MIBs are designed to enable the SNMP interface to manage such protocols or functions. They also help the NMS provided by the third party to manage devices. For example, the MIB object of Huawei is 1.3.6.1.4.1.2011.

• The maximum access permission of a MIB object indicates the operations that the NMS can perform on the device through the MIB object. ▫ not-accessible: No operation can be performed. ▫ read-only: reads information. ▫ read-write: reads information and modifies configurations. ▫ read-create: reads information, modifies configurations, adds configurations, and deletes configurations. • When generating a trap, the device reports the type of the current trap together with some variables. For example, when sending a linkDown trap, the device also sends variables such as the interface index and current configuration status of the involved interface.

• SNMPv1 defines five protocol operations. ▫ Get-Request: The NMS extracts one or more parameter values from the MIB of the agent process on the managed device. ▫ Get-Next-Request: The NMS obtains the next parameter value from the MIB of the agent process in lexicographical order. ▫ Set-Request: The NMS sets one or more parameter values in the MIB of the agent process. ▫ Response: The agent process returns one or more parameter values. It is the response to the first three operations. ▫ Trap: The agent process sends messages to the NMS to notify the NMS of critical or major events.

• SNMPv2c supports the following operations: ▫ GetBulk: equals to multiple GetNext operations. You can set the number of GetNext operations to be included in one GetBulk operation. ▫ Inform: A managed device proactively sends traps to the NMS. In contrast to the trap operation, the inform operation requires an acknowledgement. After a managed device sends an InformRequest message to the NMS, the NMS returns an InformResponse message. If the managed device does not receive the acknowledgment message, it temporarily saves the trap in the Inform buffer and resends the trap until the NMS receives the trap or the number of retransmission times reaches the maximum.

• SNMPv3 supports identity authentication and encryption. ▫ Identity authentication: A process in which the agent process (or NMS) confirms whether the received message is from an authorized NMS (or agent process) and whether the message is changed during transmission.

▫ Encryption: The header data and security parameter fields are added to SNMPv3 messages. For example, when the management process sends an SNMPv3 GetRequest message carrying security parameters such as the username, key, and encryption parameters, the agent process also uses an encrypted response message to respond to the Get-Request message. This security encryption mechanism is especially applicable to a scenario in which data needs to be transmitted through a public network between the management process and agent process.

• One zettabyte (abbreviated "ZB") is equal to 1012 GB.

• iMaster NCE provides the following key capabilities: ▫ Full-lifecycle automation: iMaster NCE provides full-lifecycle automation across multiple network technologies and domains based on unified resource modeling and data sharing, enabling device plug-and-play, immediate network availability after migration, on-demand service provisioning, fault self-healing, and risk warning. ▫ Intelligent closed-loop management based on big data and AI: iMaster NCE constructs a complete intelligent closed-loop system based on its intent engine, automation engine, analytics engine, and intelligence engine. It also uses telemetry to collect and aggregate massive volumes of network data. This allows it to determine the network status in real time. iMaster NCE provides big databased global network analysis and insights through unified data modeling, and is equipped with Huawei's sophisticated AI algorithms accumulated during its 30 years in the telecom industry. It provides automated closed-loop analysis, forecast, and decision-making based on customers' intents. This helps improve user experience and continuously enhance network intelligence.

• NETCONF client: manages network devices using NETCONF. Generally, the NMS functions as the NETCONF client. It sends elements to a NETCONF server to query or modify configuration data. The client can learn the status of a managed device based on the traps and events reported by the server. • NETCONF server: maintains information about managed devices, responds to requests from clients, and reports management data to the clients. NETCONF servers are typically network devices, for example, switches and routers. After receiving a request from a client, a server parses data, processes the request with the assistance of the Configuration Manager Frame (CMF), and then returns a response to the client. If a trap is generated or an event occurs on a managed device, the NETCONF server reports the trap or event to the client through the Notification mechanism, so the client can learn the status change of the managed device. • A client and a server establish a connection based on a secure transmission protocol such as Secure Shell (SSH) or Transport Layer Security (TLS), and establish a NETCONF session after exchanging capabilities supported by the two parties using Hello packets. In this way, the client and the server can exchange messages. A network device must support at least one NETCONF session. The data that a NETCONF client obtains from a NETCONF server can be configuration data or status data.

• NETCONF uses SSH to implement secure transmission and uses Remote Procedure Call (RPC) to implement communication between the client and server.

• YANG originates from NETCONF but is not only used for NETCONF. Although the YANG modeling language is unified, YANG files are not unified. • YANG files can be classified into the following types: ▫ Vendor's proprietary YANG file ▫ IETF standard YANG ▫ OpenConfig YANG • The YANG model is presented as a .yang file. • The YANG model has the following characteristics: ▫ Hierarchical tree-like structure modeling. ▫ Data models are presented as modules and sub-modules. ▫ It can be converted to the YANG Indepent Notation (YIN) model based on the

XML syntax without any loss. ▫ Defines built-in data types and extensible types.

• There is also a view in the industry that SNMP is considered as a traditional telemetry technology, and the current telemetry is referred to as streaming telemetry or modeldriven telemetry. • Telemetry packs the data to be sent, improving transmission efficiency.

1. A 2. C

3. A 4. A

• Internet Protocol version 4 (IPv4): a current IP version. An IPv4 address is 32 bits in length and is usually represented by four octets written in dotted decimal notation. Each IPv4 address consists of a network number, an optional subnet number, and a host number. The network and subnet numbers together are used for routing, and the host number is used to address an individual host within a network or subnet. • Internet Protocol version 6 (IPv6): a set of specifications designed by the IETF. It is an upgraded version of IPv4. IPv6 is also called IP Next Generation (IPng). IPv6 addresses are extended to 128 bits in length.

• The IANA is responsible for assigning global Internet IP addresses. The IANA assigns some IPv4 addresses to continent-level RIRs, and then each RIR assigns addresses in its regions. The five RIRs are as follows: ▫ RIPE: Reseaux IP Europeans, which serves Europe, Middle East, and Central Asia. ▫ LACNIC: Latin American and Caribbean Internet Address Registry, which serves the Central America, South America, and the Caribbean. ▫ ARIN: American Registry for Internet Numbers, which serves North America and some Caribbean regions. ▫ AFRINIC: Africa Network Information Center, which serves Africa. ▫ APNIC: Asia Pacific Network Information Centre, which serves Asia and the Pacific. • IPv4 has proven to be a very successful protocol. It has survived the development of the Internet from a small number of computers to hundreds of millions of computers. But the protocol was designed decades ago based on the size of the networks at that time. With the expansion of the Internet and the launch of new applications, IPv4 has shown more and more limitations. • The rapid expansion of the Internet scale was unforeseen at that time. Especially over the past decade, the Internet has experienced explosive growth and has been accessed by numerous households. It has become a necessity in people's daily life. Against the Internet's rapid development, IP address depletion becomes a pressing issue. • In the 1990s, the IETF launched technologies such as Network Address Translation (NAT) and Classless Inter-Domain Routing (CIDR) to delay IPv4 address exhaustion. However, these transition solutions can only slow down the speed of address exhaustion, but cannot fundamentally solve the problem.

• Nearly infinite address space: This is the most obvious advantage over IPv4. An IPv6 address consists of 128 bits. The address space of IPv6 is about 8 x 1028 times that of IPv4. It is claimed that IPv6 can allocate a network address to each grain of sand in the world. This makes it possible for a large number of terminals to be online at the same time and unified addressing management, providing strong support for the interconnection of everything. • Hierarchical address structure: IPv6 addresses are divided into different address segments based on application scenarios thanks to the nearly infinite address space. In addition, the continuity of unicast IPv6 address segments is strictly required to prevent "holes" in IPv6 address ranges, which facilitates IPv6 route aggregation to reduce the size of IPv6 address tables. • Plug-and-play: Any host or terminal must have a specific IP address to obtain network resources and transmit data. Traditionally, IP addresses are assigned manually or automatically using DHCP. In addition to the preceding two methods, IPv6 supports SLAAC.

• E2E network integrity: NAT used on IPv4 networks damages the integrity of E2E connections. After IPv6 is used, NAT devices are no longer required, and online behavior management and network monitoring become simple. In addition, applications do not need complex NAT adaptation code. • Enhanced security: IPsec was initially designed for IPv6. Therefore, IPv6-based protocol packets (such as routing protocol packets and neighbor discovery packets) can be encrypted in E2E mode, despite the fact that this function is not widely used currently. The security capability of IPv6 data plane packets is similar to that of IPv4+IPsec.

• The fields in a basic IPv6 header are described as follows: ▫ Version: 4 bits long. In IPv6, the value is 6. ▫ Traffic Class: 8 bits long. This field indicates the class or priority of an IPv6 packet. It is similar to the TOS field in an IPv4 packet and is mainly used in QoS control. ▫ Flow Label: 20 bits long. This field was added in IPv6 to differentiate real-time traffic. A flow label and a source IP address together can identify a unique data flow. Intermediate network devices can effectively differentiate data flows based on this field.

▫ Payload Length: 16 bits long. This field indicates the length of the part (namely, extension headers and upper-layer PDU) in an IPv6 packet following the IPv6 basic header. ▫ Next Header: 8 bits long. This field defines the type of the first extension header (if any) following a basic IPv6 header or the protocol type in an upper-layer PDU (similar to the Protocol field in IPv4). ▫ Hop Limit: 8 bits long. This field is similar to the Time to Live field in an IPv4 packet. It defines the maximum number of hops that an IP packet can pass through. The value is decreased by 1 each time an IP packet passes through a node. The packet is discarded if Hop Limit is decreased to zero. ▫ Source Address: 128 bits long. This field indicates the address of the packet sender. ▫ Destination Address: 128 bits long. This field indicates the address of the packet receiver.

• An IPv4 packet header carries the optional Options field, which can represent security, timestamp, or record route options. The Options field extends the IPv4 packet header from 20 bytes to 60 bytes. The Options field needs to be processed by all the intermediate devices, consuming a large number of resources. For this reason, this field is seldom used in practice. • IPv6 removes the Options field from the basic header and puts it in the extension headers, which are placed between a basic IPv6 header and upper-layer PDU. An IPv6 packet may carry zero, one, or more extension headers. A sender adds one or more extension headers to a packet only when the sender requests the destination device or other devices to perform special handling. The length of IPv6 extension headers is not limited to 40 bytes so that new options can be added later. This feature together with the option processing modes enables the IPv6 options to be leveraged. To improve extension header processing efficiency and transport protocol performance, the extension header length, however, is always an integer multiple of 8 bytes. • When multiple extension headers are used, the Next Header field of the preceding header indicates the type of the current extension header. In this way, a chained packet header list is formed.

• Unicast address: identifies an interface. A packet destined for a unicast address is sent to the interface having that unicast address. In IPv6, an interface may have multiple IPv6 addresses. In addition to GUAs, ULAs, and LLAs, IPv6 has the following special unicast addresses: ▫ Unspecified address: 0:0:0:0:0:0:0:0/128, or ::/128. The address is used as the source address of some packets, for example, Neighbor Solicitation (NS) messages sent during DAD or request packets sent by a client during DHCPv6 initialization. ▫ Loopback address: 0:0:0:0:0:0:0:1/128, or ::1/128, which is used for local loopback (same function as 127.0.0.1 in IPv4). The data packets sent to ::/1 are actually sent to the local end and can be used for loopback tests of local protocol stacks. • Multicast address: identifies multiple interfaces. A packet destined for a multicast address is sent to all the interfaces joining in the corresponding multicast group. Only the interfaces that join a multicast group listen to the packets destined for the corresponding multicast address. • Anycast address: identifies a group of network interfaces (usually on different nodes). A packet sent to an anycast address is routed to the nearest interface having that address, according to the router's routing table. • IPv6 does not define any broadcast address. On an IPv6 network, all broadcast application scenarios are served by IPv6 multicast.

• Global unicast addresses that start with binary value 000 can use a non-64-bit network prefix. Such addresses are not covered in this course.

• An interface ID is 64 bits long and is used to identify an interface on a link. The interface ID must be unique on each link. The interface ID is used for many purposes. Most commonly, an interface ID is attached to a link-local address prefix to form the link-local address of the interface. It can also be attached to an IPv6 global unicast address prefix in SLAAC to form the global unicast address of the interface. • IEEE EUI-64 standard ▫ Converting MAC addresses into IPv6 interface IDs reduces the configuration workload. Especially, you only need an IPv6 network prefix in SLAAC to form an IPv6 address. ▫ The defect of this method is that IPv6 addresses can be deducted by attackers based on MAC addresses.

• You can apply for a GUA from a carrier or the local IPv6 address management organization.

• Types and scope of IPv6 multicast groups: ▫ Flags: ▪ 0000: permanent or well-known multicast group ▪ 0001: transient multicast group ▫ Scope: ▪ 0: reserved ▪ 1: interface-local scope, which spans only a single interface on a node and is useful only for loopback transmission of multicast ▪ 2: link-local scope (for example, FF02::1) ▪ 5: site-local scope ▪ 8: organization-local scope

▪ E: global scope ▪ F: reserved

• An application scenario example of a solicited-node multicast group address is as follows: In IPv6, ARP and broadcast addresses are canceled. When a device needs to request the MAC address corresponding to an IPv6 address, the device still needs to send a request packet, which is a multicast packet. The destination IPv6 address of the packet is the solicited-node multicast address corresponding to the target IPv6 unicast address. Because only the target node listens to the solicited-node multicast address, the multicast packet is received only by the target node, without affecting the network performance of other non-target nodes.

• The anycast process involves an anycast packet initiator and one or more responders. ▫ An initiator of an anycast packet is usually a host requesting a service (for example, a web service). ▫ The format of an anycast address is the same as that of a unicast address. A device, however, can send packets to multiple devices with the same anycast address. • Anycast addresses have the following advantages: ▫ Provide service redundancy. For example, a user can obtain the same service (for example, a web service) from multiple servers that use the same anycast address. These servers are all responders of anycast packets. If no anycast address is used and one server fails, the user needs to obtain the address of another server to establish communication again. If an anycast address is used and one server fails, the user can automatically communicate with another server that uses the same address, implementing service redundancy. ▫ Provide better services. For example, a company deploys two servers – one in province A and the other in province B – to provide the same web service. Based on the optimal route selection rule, users in province A preferentially access the server deployed in province A when accessing the web service provided by the company. This improves the access speed, reduces the access delay, and greatly improves user experience.

• SLAAC is a highlight of IPv6. It enables IPv6 hosts to be easily connected to IPv6 networks, without the need to manually configure IPv6 addresses and to deploy application servers (such as DHCP servers) to assign addresses to hosts. SLAAC uses ICMPv6 RS and RA messages. • Address resolution uses ICMPv6 NS and NA messages. • DAD uses ICMPv6 NS and NA messages to ensure that no two identical unicast addresses exist on the network. DAD must be performed on all interfaces before they use unicast addresses.

• IPv6 supports stateful and stateless address autoconfiguration. The managed address configuration flag (M flag) and other stateful configuration flag (O flag) in ICMPv6 RA messages are used to control the mode in which terminals automatically obtain addresses. • For stateful address configuration (DHCPv6), M = 1, O = 1: ▫ DHCPv6 is used. An IPv6 client obtains a complete 128-bit IPv6 address, as well as other address parameters, such as DNS and SNTP server address parameter, from a DHCPv6 server. ▫ The DHCPv6 server records the allocation of the IPv6 address (this is where stateful comes). ▫ This method is complex and requires high performance of the DHCPv6 server. ▫ Stateful address configuration is mainly used to assign IP addresses to wired terminals in an enterprise, facilitating address management. • For SLAAC, M = 0, O = 0: ▫ ICMPv6 is used. ▪ The router enabled with ICMPv6 RA periodically advertises the IPv6 address prefix of the link connected to a host. ▪ Alternatively, the host sends an ICMPv6 RS message, and the router replies with an RA message to notify the link's IPv6 address prefix.

• Assume that R1 is an online device with an IPv6 address 2001::FFFF/64. After the PC goes online, it is configured with the same IPv6 address. Before the IPv6 address is used, the PC performs DAD for the IPv6 address. The process is as follows: 1. The PC sends an NS message to the link in multicast mode. The source IPv6 address of the NS message is ::, and the destination IPv6 address is the solicitednode multicast address corresponding to 2001::FFFF for DAD, that is, FF02::1:FF00:FFFF. The NS message contains the destination address 2001::FFFF for DAD. 2. All nodes on the link receive the multicast NS message. The node interfaces that are not configured with 2001::FFFF are not added to the solicited-node multicast group corresponding to 2001::FFFF. Therefore, these node interfaces discard the received NS message. R1's interface is configured with 2001::FFFF and joins the multicast group FF02::1:FF00:FFFF. After receiving the NS message with 2001::FFFF as the destination IP address, R1 parses the message and finds that the destination address of DAD is the same as its local interface address. R1 then immediately returns an NA message. The destination address of the NA message is FF02::1, that is, the multicast address of all nodes. In addition, the destination address 2001::FFFF and the MAC address of the interface are filled in the NA message. 3. After the PC receives the NA message, it knows that 2001::FFFF is already in use on the link. The PC then marks the address as duplicate. This IP address cannot be used for communication. If no NA message is received, the PC determines that the IPv6 address can be used. The DAD mechanism is similar to gratuitous ARP in IPv4.

• IPv6 address resolution does not use ARP or broadcast. Instead, IPv6 uses the same NS and NA messages as those in DAD to resolve data link layer addresses. • Assume that a PC needs to parse the MAC address corresponding to 2001::2 of R1. The detailed process is as follows:

1. The PC sends an NS message to 2001::2. The source address of the NS message is 2001::1, and the destination address is the solicited-node multicast address corresponding to 2001::2. 2. After receiving the NS message, R1 records the source IPv6 address and source MAC address of the PC, and replies with a unicast NA message that contains its own IPv6 address and MAC address. 3. After receiving the NA message, the PC obtains the source IPv6 address and source MAC address from the message. In this way, both ends create a neighbor entry about each other.

1. 2001:DB8::32A:0:0:2D70 or 2001:DBB:0:0:32A::2D70 2. An IPv6 host obtains an address prefix from the RA message sent by the related router interface, and then generates an interface ID by inserting a 16-bit FFEE into the existing 48-bit MAC address of the host's interface. After generating an IPv6 address, the IPv6 host checks whether the address is unique through DAD.

• In 1964, IBM spent US$5 billion on developing IBM System/360 (S/360), which started the history of mainframes. Mainframes typically use the centralized architecture. The architecture features excellent I/O processing capability and is the most suitable for processing large-scale transaction data. Compared with PCs, mainframes have dedicated hardware, operating systems, and applications. • PCs have undergone multiple innovations from hardware, operating systems, to applications. Every innovation has brought about great changes and development. The following three factors support rapid innovation of the entire PC ecosystem: ▫ Hardware substrate: The PC industry has adapted a simple and universal hardware base, x86 instruction set. ▫ Software-defined: The upper-layer applications and lower-layer basic software (OS and virtualization) are greatly innovated. ▫ Open-source: The flourishing development of Linux has verified the correctness of open source and bazaar model. Thousands of developers can quickly formulate standards to accelerate innovation.

• The switch is used as an example to describe the forwarding plane, control plane, and management plane. • Forwarding plane: provides high-speed, non-blocking data channels for service switching between service modules. The basic task of a switch is to process and forward various types of data on its interfaces. Specific data processing and forwarding, such as Layer 2, Layer 3, ACL, QoS, multicast, and security protection, occur on the forwarding plane. • Control plane: provides functions such as protocol processing, service processing, route calculation, forwarding control, service scheduling, traffic statistics collection, and system security. The control plane of a switch is used to control and manage the running of all network protocols. The control plane provides various network information and forwarding query entries required for data processing and forwarding on the data plane. • Management plane: provides functions such as system monitoring, environment monitoring, log and alarm processing, system software loading, and system upgrade. The management plane of a switch provides network management personnel with Telnet, web, SSH, SNMP, and RMON to manage devices, and supports, parses, and executes the commands for setting network protocols. On the management plane,

parameters related to various protocols on the control plane must be pre-configured, and the running of the control plane can be intervened if necessary. • Some Huawei series products are divided into the data plane, management plane, and monitoring plane.

• Vision of network service deployment: ▫ Free mobility based on network policies, regardless of physical locations ▫ Quick deployment of new service ▫ ZTP deployment on the physical network ▫ Plug-and-play of devices

• Controller-to-Switch messages: ▫ Features message: After an SSL/TCP session is established, the controller sends Features messages to a switch to request switch information. The switch must send a response, including the interface name, MAC address, and interface rate. ▫ Configuration message: The controller can set or query the switch status.

▫ Modify-State message: The controller sends this message to a switch to manage the switch status, that is, to add, delete, or modify the flow table and set interface attributes of the switch. ▫ Read-State message: The controller sends this message to collect statistics on the switch.

▫ Send-Packet message: The controller sends the message to a specific interface of the switch. • Asynchronous messages: ▫ Packet-in message: If no matching entry exists in the flow table or the action "send-to-controller" is matched, the switch sends a packet-in message to the controller. ▫ Packet-out message: The controller sends this message to respond to a switch. ▫ Flow-Removed message: When an entry is added to a switch, the timeout interval is set. When the timeout interval is reached, the entry is deleted. The switch then sends a Flow-Removed message to the controller. When an entry in the flow table needs to be deleted, the switch also sends this message to the controller. ▫ Port-status message: A switch sends this message to notify the controller when the interface configuration or state changes.

• Match Fields: a field against which a packet is matched. (OpenFlow 1.5.1 supports 45 options). It can contain the inbound interface, inter-flow table data, Layer 2 packet header, Layer 3 packet header, and Layer 4 port number. • Priority: matching sequence of a flow entry. The flow entry with a higher priority is matched first. • Counters: number of packets and bytes that match a flow entry. • Instructions: OpenFlow processing when a packet matches a flow entry. When a packet matches a flow entry, an action defined in the Instructions field of each flow entry is executed. The Instructions field affects packets, action sets, and pipeline processing. • Timeouts: aging time of flow entries, including Idle Time and Hard Time. ▫ Idle Time: If no packet matches a flow entry after Idle Time expires, the flow entry is deleted.

▫ Hard Time: After Hard Time expires, a flow entry is deleted regardless of whether a packet matches the flow entry. • Cookie: identifier of a flow entry delivered by the controller. • Flags: This field changes the management mode of flow entries.

• For tables 0-255, table 0 is first matched. In a flow table, flow entries are matched by priority. The flow entry with a higher priority is matched first. • Currently, OpenFlow is mainly used on software switches, such as OVSs and CE1800Vs, in DCs, but not on physical switches to separate forwarding and control planes.

• Forwarding-control separation is a method to implement SDN.

• Orchestration application layer: provides various upper-layer applications for service intents, such as OSS and OpenStack. The OSS is responsible for service orchestration of the entire network, and OpenStack is used for service orchestration of network, compute, and storage resources in a DC. There are other orchestration-layer applications. For example, a user wants to deploy a security app. The security app is irrelevant to the user host location but invokes NBIs of the controller. Then the controller delivers instructions to each network device. The command varies according to the SBI protocol. • Controller layer: The SDN controller is deployed at this layer, which is the core of the SDN network architecture. The controller layer is the brain of the SDN system, and its core function is to implement network service orchestration. • Device layer: A network device receives instructions from the controller and performs forwarding. • NBI: NBIs are used by the controller to interconnect with the orchestration application layer, mainly RESTful. • SBI: SBIs used by the controller to interact with devices through protocols such as NETCONF, SNMP, OpenFlow, and OVSDB.

• Cloud platform: resource management platform in a cloud DC. The cloud platform manages network, compute, and storage resources. OpenStack is the most mainstream open-source cloud platform. • The Element Management System (EMS) manages one or more telecommunication network elements (NEs) of a specific type. • Orchestration (container orchestration): The container orchestration tool can also provide the network service orchestration function. Kubernetes is a mainstream tool. • MTOSI or CORBA is used to interconnect with the BSS or OSS. Kafka or SFTP can be used to connect to a big data platform.

• iMaster NCE converts service intents into physical network configurations. It manages, controls, and analyzes global networks in a centralized manner in the southbound direction. It enables resource cloudification, full-lifecycle network automation, and intelligent closed-loop driven by data analysis for business and service intents. It provides northbound open APIs for quick integration with IT systems. • iMaster NCE can be used in the enterprise data center network (DCN), enterprise campus, and enterprise branch interconnection (SD-WAN) scenarios to make enterprise networks simple, smart, open, and secure, accelerating enterprise service transformation and innovation.

• iMaster NCE-Fabric can connect to a user's IT system to match the intent model for user intents and deliver configurations to devices through NETCONF to implement fast service deployment. • iMaster NCE-Fabric can interconnect with the mainstream cloud platform (OpenStack), virtualization platform (vCenter/System Center), and container orchestration platforms (Kubernetes).

• iMaster NCE-FabricInsight provides AI-based intelligent O&M capabilities for DCs.

• Device plug-and-play includes but is not limited to deployment by scanning bar codes using an app, DHCP-based deployment, and deployment through the registration query center. • Registration center: Huawei device registration query center, also called registration center, is one of the main components of Huawei CloudCampus solution. It is used to query the device management mode and registration ownership. A device determines whether to switch to the cloud-based management mode and which cloud management platform to register with based on the query result. The AP is used as an example. Huawei devices that support cloud-based management are pre-configured with the URL (register.naas.huawei.com) and port number (10020) of the Huawei device registration center.

• Virtualized network functions (VNFs) are implemented by virtualizing traditional NEs such as IMSs and CPEs of carriers. After hardware is universalized, traditional NEs are no longer the products with embedded software and hardware. Instead, they are installed on universal hardware (NFVI) as software.

• In 2015, NFV research entered the second phase. The main research objective is to build an interoperable NFV ecosystem, promote wider industry participation, and ensure that the requirements defined in phase 1 are met. In addition, the ETSI NFV ISG specified the collaboration relationships between NFV and SDN standards and open source projects. Five working groups are involved in NFV phase 2: IFA (architecture and interface), EVE (ecosystem), REL (reliability), SEC (security), and TST (test, execution, and open source). Each working group mainly discusses the deliverable document framework and delivery plan. • The ETSI NFV standard organization cooperates with the Linux Foundation to start the open source project OPNFV (NFV open source project, providing an integrated and open reference platform), integrate resources in the industry, and actively build the NFV industry ecosystem. In 2015, OPNFV released the first version, further promoting NFV commercial deployment. • NFV-related standard organizations include: ▫ ETSI NFV ISG: formulates NFV requirements and functional frameworks. ▫ 3GPP SA5 working group: focuses on technical standards and specifications of 3GPP NE virtualization management (MANO-related). ▫ OPNFV: provides an open-source platform project that accelerates NFV marketization.

• Shortened service rollout time: In the NFV architecture, adding new service nodes becomes simple. No complex site survey or hardware installation is required. For service deployment, you only need to request virtual resources (compute, storage, and network resources) and software loading, simplifying network deployment. To update service logic, you simply need to add new software or load new service modules to complete service orchestration. Service innovations become simple. • Reduced network construction cost: Virtualized NEs can be integrated into COTS devices to reduce the cost. Enhancing network resource utilization and lowering power consumption can lower overall network costs. NFV uses cloud computing technologies and universal hardware to build a unified resource pool. Resources are dynamically allocated on demand based on service requirements, implementing resource sharing and improving resource utilization. For example, automatic scale-in and scale-out can be used to solve the resource usage problem in the tidal effect. • Enhanced network O&M efficiency: Automated and centralized management improves the operation efficiency and reduces the O&M cost. Automation includes DC-based hardware unit management automation, MANO application service life management automation, NFV- or SDN-based coordinated network automation. • Open ecosystem: The legacy telecom network exclusive software/hardware model

defines a closed system. NFV-based telecom networks use an architecture based on standard hardware platforms and virtual software. The architecture easily provides open platforms and open interfaces for third-party developers, and allows carriers to build open ecosystems together with third-party partners.

• On traditional telecom networks, each NE is implemented by dedicated hardware. A large number of hardware interoperability tests, installation, and configuration are required during network construction, which is time-consuming and labor-consuming. In addition, service innovation depends on the implementation of hardware vendors, which is time-consuming and cannot meet carriers' service innovation requirements. In this context, carriers want to introduce the virtualization mode to provide software NEs and run them on universal infrastructures (including universal servers, storage devices, and switches). • Using universal hardware helps carriers reduce the cost of purchasing dedicated hardware. Service software can be rapidly developed through iteration, which enables carriers to innovate services quickly and improve their competitiveness. By dong this, carriers can enter the cloud computing market.

• According to the NIST, cloud computing services have the following characteristics: ▫ On-demand self-service: Cloud computing implements on-demand self-service of IT resources. Resources cna be requested and released without intervention of IT administrators.

▫ Broad network access: Users can access networks anytime and anywhere. ▫ Resource pooling: Resources including networks, servers, and storage devices in a resource pool can be provided for users. ▫ Rapid elasticity: Resources can be quickly provisioned and released. The resource can be used immediately after being requested, and can be reclaimed immediately after being released. ▫ Measured service: The charging basis is that used resources are measurable. For example, charging is based on the number of CPUs, storage space, and network bandwidth.

• Each layer of the NFV architecture can be provided by different vendors, which improves system development but increases system integration complexity. • NFV implements efficient resource utilization through device normalization and software and hardware decoupling, reducing carriers' TCO, shortening service rollout time, and building an open industry ecosystem.

• The NFVI consists of the hardware layer and virtualization layer, which are also called COTS and CloudOS in the industry. ▫ COTS: universal hardware, focusing on availability and universality, for example, Huawei FusionServer series hardware server. ▫ CloudOS: cloud-based platform software, which can be regarded as the operating system of the telecom industry. CloudOS virtualizes physical compute, storage, and network resources into virtual resources for upper-layer software to use, for example, Huawei FusionSphere. • VNF: A VNF can be considered as an app with different network functions and is implemented by software of traditional NEs (such as IMS, EPC, BRAS, and CPE) of carriers. • MANO: MANO is introduced to provision network services in the NFV multi-CT or multi-IT vendor environment, including allocating physical and virtual resources, vertically streamlining management layers, and quickly adapting to and interconnecting with new vendors' NEs. The MANO includes the Network Functions Virtualization Orchestrator (NFVO, responsible for lifecycle management of network services), Virtualized Network Function Manager (VNFM, responsible for lifecycle management of VNFs), and Virtualized Infrastructure Manager (VIM, responsible for resource management of the NFVI).

• BSS: business support system • OSS: operation support system • A hypervisor is a software layer between physical servers and OSs. It allows multiple OSs and applications to share the same set of physical hardware. It can be regarded as a meta operating system in the virtual environment, and can coordinate all physical resources and VMs on the server. It is also called virtual machine monitor (VMM). The hypervisor is the core of all virtualization technologies. Mainstream hypervisors include KVM, VMWare ESXi, Xen, and Hyper-V.

• DSL: Digital Subscriber Line • OLT: Optical Line Terminal

1. BCD 2. NFV aims to address issues such as complex deployment and O&M and service innovation difficulties due to large numbers of telecom network hardware devices. NFV brings the following benefits to carriers while reconstructing telecom networks:

▫ Shortened service rollout time ▫ Reduced network construction cost ▫ Improved network O&M efficiency ▫ Open ecosystem

• Many network automation tools in the industry, such as Ansible, SaltStack, Puppet, and Chef, are derived from open-source tools. It is recommended that network engineers acquire the code programming capability.

• Based on language levels, computer languages can also be classified into machine language, assembly language, and high-level language. The machine language consists of 0 and 1 instructions that can be directly identified by a machine. Because machine languages are obscure, hardware instructions 0 and 1 are encapsulated to facilitate identification and memory (such as MOV and ADD), which is assembly language. The two languages are low-level languages, and other languages are highlevel languages, such as C, C++, Java, Python, Pascal, Lisp, Prolog, FoxPro, and Fortran. Programs written in high-level languages cannot be directly identified by computers. The programs must be converted into machine languages before being executed.

• A process of executing a computer's technology stack and programs. On the left is the computing technology stack. From the bottom layer of the hardware, physical materials and transistors are used to implement gate circuits and registers, and then the micro architecture of the CPU is formed. The instruction set of the CPU is an interface between hardware and software. An application drives hardware to complete calculation using an instruction defined in the instruction set. • Applications use certain software algorithms to implement service functions. Programs are usually developed using high-level languages, such as C, C++, Java, Go, and Python. The high-level language needs to be compiled into an assembly language, and then the assembler converts the assembly language into binary machine code based on a CPU instruction set. • A program on disk is a binary machine code consisting of a pile of instructions and data, that is, a binary file.

• Compiled languages are compiled into formats, such as .exe, .dll, and .ocx, that can be executed by machines. Compilation and execution are separated and cannot be performed across platforms. For example, x86 programs cannot run on ARM servers.

• JVM: Java virtual machine • PVM: Python VM

• Python is also a dynamically typed language. The dynamically typed language automatically determines the type of variable during program running. The type of a variable does not need to be declared.

• Python source code does not need to be compiled into binary code. Python can run programs directly from the source code. When Python code is run, the Python interpreter first converts the source code into byte code, and then the Python VM executes the byte code. • The Python VM is not an independent program and does not need to be installed independently.

• Basic data types of Python are Boolean (True/False), integer, floating point, and string. All data (Boolean values, integers, floating points, strings, and even large data structures, functions, and programs) in Python exists in the form of objects. This makes the Python language highly unified. • The execution results are 10, 20, Richard, 2, and SyntaxError, respectively. • This presentation does not describe Python syntax. For Python syntax details, see the HCIP course.

• if...else... is a complete block of code with the same indentation. • print(a) calls parameter a, and it is in the same code block with if...else...clause.

• The interpreter declaration is used to specify the path of the compiler that runs this file (the compiler is installed in a non-default path or there are multiple Python compilers). In the Windows , you can omit the first line of the interpreter declaration in the preceding example. • The encoding format declaration is used to specify the encoding type used by the program to read the source code. By default, Python 2 uses ASCII code (Chinese is not supported), and Python 3 supports UTF-8 code (Chinese is supported). • docstring is used to describe the functions of the program. • time is a built-in module of Python and provides functions related to processing time.

• Official definitions of functions and methods: •

A series of statements which returns some value to a caller. It can also be passed zero or more arguments which may be used in the execution of the body.

•

A function which is defined inside a class body. If called as an attribute of an instance of that class, the method will get the instance object as its first argument (which is usually called self).

• For more information about classes, see https://docs.python.org/3/tutorial/classes.html.

• Telnet defines the network virtual terminal (NVT). It describes the standard representation of data and sequences of commands transmitted over the Internet to shield the differences between platforms and operating systems. For example, different platforms have different line feed commands. • Telnet communication adopts the inband signaling mode. That is, Telnet commands are transmitted in data streams. To distinguish Telnet commands from common data, Telnet uses escape sequences. Each transition sequence consists of 2 bytes. The first byte (0xFF) is called Interpret As Command (IAC), which indicates that the second byte is a command. EOF is also a Telnet command. Its decimal code is 236. • A socket is an abstraction layer. Applications usually send requests or respond to network requests through sockets. • For more information, see https://docs.python.org/3/library/telnetlib.html.

• In this case, the Windows operating system is used as an example. Run the telnet 192.168.10.10 command. In the preceding step, a Telnet login password is set. Therefore, the command output is • Password:

• Enter the password Huawei@123 for authentication. The login is successful.

• In Python, the encode() and decode() functions are used to encode and decode strings in a specified format, respectively. In this example, password.encode('ascii') is to convert the string Huawei@123 into the ASCII format. The encoding format complies with the official requirements of the telnetlib module. • Add a string b, b'str', indicating that the string is a bytes object. In this example, b'Password:' indicates that the string Password:' is converted into a string of the bytes type. The encoding format complies with the official requirements of the telnetlib module. • For more information about Python objects, see https://docs.python.org/3/reference/datamodel.html#objects-values-and-types.

1. B 2. You can use the telnetlib.write() method. After logging in to the device, issue the system-view command to access the system view, and then issue the vlan 10 command to create a VLAN. (For a device running the VRPv8, issue the system-view immediately command to access the system view.)

• The campus network scale is flexible depending on actual requirements. It can be a small office home office (SOHO), a school campus, enterprise campus, park, or shopping center. However, the campus network cannot be scaled out infinitely. Typically, large campuses, such as university campuses and industrial campuses, are limited within several square kilometers. Such campus networks can be constructed using local area network (LAN) technology. A campus network beyond this scope is usually considered as a metropolitan area network (MAN) and is constructed using the WAN technology.

• Typical LAN technologies used on campus networks include IEEE 802.3-compliant Ethernet (wired) technologies and IEEE 802.11-compliant Wi-Fi (wireless) technologies.

• Typical layers and areas of a campus network: ▫ Core layer: is the backbone area of a campus network, which is the data switching core. It connects various parts of the campus network, such as the data center, management center, and campus egress. ▫ Aggregation layer: is a middle layer of a campus network, and completes data aggregation or switching. Some fundamental network functions, such as routing, QoS, and security, are also provided at this layer.

▫ Access layer: As the edge of a campus network, this layer connects end users to the campus network. ▫ Egress area: As the edge that connects a campus network to an external network, this area enables mutual access between the two networks. Typically, a large number of network security devices, such as intrusion prevention system (IPS) devices, anti-DDoS devices, and firewalls, are deployed in this area to defend against attacks from external networks. ▫ Data center area: has servers and application systems deployed to provide data and application services for internal and external users of an enterprise.

▫ Network management area: Network management systems, including the SDN controller, WAC, and eLog (log server), are deployed in this area to manage and monitor the entire campus network.

• A campus network project starts from network planning and design. Comprehensive and detailed network planning will lay a solid foundation for subsequent project implementation.

• Project implementation is a specific operation procedure for engineers to deliver projects. Systematic management and efficient process are critical to successful project implementation. • Routine O&M and troubleshooting are required to ensure the normal running of network functions and support smooth provisioning of user services. • As users' services develop, the users' requirements on network functions increase. If the current network cannot meet service requirements, or potential problems are found while the network is running, the network needs to be optimized.

• The entire network uses a three-layer architecture. ▫ The S3700 is deployed as the access switch to provide 100 Mbit/s network access for employees' PCs and printers. ▫ The S5700 is deployed at the aggregation layer as the gateway of the Layer 2 network. ▫ The AR2240 is deployed at the core and egress of a campus network. • Note: Agg is short for aggregation, indicating a device at the aggregation layer. Acc is short for Access, indicating an access device.

• Dynamic IP address assignment or static IP address binding can be used for IP address assignment. On a small or midsize campus network, IP addresses are assigned based on the following principles:

• IP addresses of WAN interfaces on egress gateways are assigned by the carrier in static, DHCP, or PPPoE mode. The IP addresses of the egress gateways need to be obtained from the carrier in advance. • It is recommended that servers and special terminals (such as punch-card machines, printing servers, and IP video surveillance devices) use statically bound IP addresses. • User terminal: It is recommended that the DHCP server be deployed on the gateway to dynamically assign IP addresses to user terminals such as PCs and IP phones using DHCP.

• The routing design of a small or midsize campus network includes design of internal routes and the routes between the campus egress and the Internet or WAN devices. • The internal routing design of a small or midsize campus network must meet the communication requirements of devices and terminals on the campus network and enable interaction with external routes. As the campus network is small in size, the network structure is simple. ▫ AP: After an IP address is assigned through DHCP, a default route is generated by default. ▫ Switch and gateway: Static routes can be used to meet requirements. No complex routing protocol needs to be deployed. • The egress routing design meets the requirements of intranet users for accessing the Internet and WAN. When the egress device is connected to the Internet or WAN, you are advised to configure static routes on the egress device.

• In addition to planning the networking and data forwarding mode, you also need to perform the following operations: ▫ Network coverage design: You need to design and plan areas covered by Wi-Fi signals to ensure that the signal strength in each area meets user requirements and to minimize co-channel interference between neighboring APs. ▫ Network capacity design: You need to design the number of APs required based on the bandwidth requirements, number of terminals, user concurrency rate, and per-AP performance. This ensures that the WLAN performance can meet the Internet access requirements of all terminals. ▫ AP deployment design: Based on the network coverage design, modify and confirm the actual AP deployment position, deployment mode, and power supply cabling principles based on the actual situation. ▫ In addition, WLAN security design and roaming design are required.

1. Network planning and design, deployment and implementation, O&M, and optimization 2. IP address used by the network administrator to manage a device